Det Europæiske Databeskyttelsesråd

Nationale nyheder

On this page you will find news on GDPR enforcement by the national supervisory authorities. The press releases gathered here do not constitute official EDPB communication nor an endorsement. They are published strictly for information purposes and are represented here as they appeared on the supervisory authority's website or other channels of communication. Therefore, these news items are only available in English or in the Member State's official language with a short introduction. Any questions regarding these news releases should be directed at the supervisory authority concerned. You can find all supervisory authorities here.
11 June 2019

The Danish Data Protection Agency has reported IDDesign A/S and proposed a fine of DKK 1,5 million for failure to delete data about 385.000 customers.
 
In the autumn of 2018, the Danish Data Protection Agency carried out a supervisory visit to Danish furniture company IDDesign. One of the questions the visit focused on was whether the company had set deadlines for the deletion of customers’ data and whether the deadlines were complied with.
 
Prior to the inspection, IDdesign had provided an overview of the systems the company uses for the processing of personal data. This overview revealed that some of the furniture stores used an older system, which had been replaced by a newer system in the other shops. In the old system information was gathered about the names, addresses, telephone numbers, e-mail addresses and purchase history of some 385.000 customers. During the inspection, IDdesign also stated that personal data in the old system had never been deleted.
 
The GDPR establishes that personal data must be stored in such a way that data subjects cannot be identified for longer than is necessary for the purposes for which the personal data are processed.
 
IDdesign did not indicate when personal data in the old system are no longer necessary for processing purposes, and thus did not specify the deadlines applicable to erasure of the personal data processed in the system.
 
The Data Protection Agency therefore considers that IDdesign has not complied with the data protection requirements of the data protection regulation by having processed the personal data for a longer timer than necessary.

Read the full press release in Danish here

For further information, please contact the Danish DPA: dt@datatilsynet.dk

07 June 2019

The information provided should enable users to understand what risks they may run and how they can protect their personal data.

No generic information may be provided to users in case of a data breach, whilst specific guidance must be made available on how to prevent unlawful use of one’s personal data – in particular identity thefts.

This is the decision issued by the Italian Supervisory Authority (Garante per la protezione dei dati personali) against one of Italy’s leading email service providers following the proceeding initiated after the company had notified the Garante of a data breach. In that notification the company had declared that technical inquiries had spotted, on the 20th February, fraudulent accesses via a WiFi hotspot which had affected about one million and a half email credentials belonging to users that had accessed the service via webmail.

In the attempt to limit the consequences of the data breach, the company had ‘obliged’ users to reset their passwords and made available a webpage containing information on the data breach prior to emailing a communication to all the affected users. That communication was emailed afterwards, however it proved  to fall short of the requirements under DP legislation – based on the findings of the Garante’s inspection. Indeed, two different communications had been emailed by the company depending on whether the given user had changed his or her password or not in the 48 hours following publication of the information on the data breach.
In both cases the communication referred to ‘unusual activities on our IT systems’ and the users that had changed their passwords were not advised to take any additional measures as it was stated that the changed password had made the old credentials useless. Conversely, those users that had failed to change their passwords were only advised to do so in order to ‘do away with the risk of unauthorised access to your email account’. Such information was considered to be insufficient by the Garante in the light of the severe risks users had been exposed to.

Accordingly, the Garante ordered the company to reiterate the communication of the data breach to the affected users, by describing the type of breach and its possible consequences and providing users with specific guidance on what measures to take in order to prevent additional risks – such as not using the affected credentials and changing the passwords to access any other online service if those passwords are identical with or similar to the breached ones.  

For more information, please contact the Italian supervisory authority: garante@garanteprivacy.it 

28 May 2019

On Tuesday 28 May 2019, the Belgian DPA imposed its first financial penalty since the entry into application of the GDPR. The administrative fine amounts to EUR 2 000 and concerns the misuse of personal data for election purposes. Although the fine is modest, the message is not: Data protection is an important matter to us all, but data controllers must assume their responsibility, especially if they have a government mandate.


L’Autorité de protection des données prononce une sanction dans le cadre d’une campagne électorale

Ce mardi 28 mai 2019, l’Autorité de protection des données (APD) a prononcé sa première sanction financière depuis l’entrée en vigueur du RGPD. L’amende administrative imposée s’élève à 2000 euros et vise l’utilisation abusive de données personnelles par un bourgmestre à des fins de campagne électorale. Si l’amende est modérée, son message est important : la protection des données est l’affaire de tous, et les responsables de traitement doivent prendre leurs responsabilités, surtout quand ils détiennent un mandat public.

L’affaire : envoi de courriel électoral personnalisé par un mandataire public

L’APD a reçu une plainte concernant l’utilisation par un bourgmestre de données obtenues dans le cadre de l’exécution de sa fonction à des fins de campagne électorale.

Les plaignants étaient entrés en contact avec le bourgmestre de la commune via leur architecte dans le cadre d’une modification de lotissement. L’architecte avait, à cette occasion, contacté le bourgmestre par courrier électronique avec en copie les adresses email des plaignants. La veille des élections communales du 14 octobre 2018, le bourgmestre avait alors utilisé la fonction « Reply » de l’email afin d’envoyer un message électoral aux plaignants.

Les deux parties ont été entendues par la Chambre Contentieuse de l’APD ce 28 Mai 2019. Suite à cette audition, la chambre a conclu qu’une infraction au RGPD avait bien été commise. 

Non-respect du principe de finalité en protection des données

Le Règlement général sur la protection des données (RGPD) précise que les données collectées par un responsable de traitement (dans ce cas-ci : les adresses emails obtenues par le bourgmestre) doivent être collectées pour des finalités déterminées et ne peuvent être traitées ultérieurement de manière incompatible avec les finalités en question. La réutilisation de données obtenues dans le cadre d’un projet urbanistique à des fins de campagne électorale contrevient donc à ce principe de finalité et constitue une infraction au RGPD.

La Chambre Contentieuse de l’APD considère que le respect du principe de finalité est une des règles cruciales du RGPD et que les détenteurs d’un mandat public (comme les bourgmestres) à qui les citoyens ont confié des données personnelles doivent être particulièrement vigilants. Il faut qu’ils prennent conscience que les données acquises dans le cadre de la fonction publique ne peuvent jamais être réutilisées à des fins personnelles.  

Prenant cependant en considération le nombre limité des personnes touchées, ainsi que la nature, la gravité et la durée de l’infraction, la Chambre contentieuse a prononcé une réprimande ainsi qu’une sanction financière sous la forme d’une amende modérée de 2000 euros.

« L’utilisation de données personnelles par des personnalités politiques à des fins de campagne électorale est une question qui préoccupe beaucoup les citoyens. Il est important de rappeler que les mandataires publics doivent respecter la législation », explique Hielke Hijmans, Président de la Chambre Contentieuse de l’APD.

Le RGPD : un règlement applicable à tous

La décision de la Chambre Contentieuse constitue la première sanction financière prononcée par l’Autorité de protection des données belge et tombe un mois seulement après l’entrée en fonction de son nouveau comité de direction. Si l’amende est modérée, son message est important : la protection des données est l’affaire de tous.

Hielke Hijmans précise:  « Le respect du RGPD vaut pour tous les responsables du traitement, et très certainement pour les détenteurs d’un mandat public. On s’attend à ce qu’un bourgmestre ait connaissance de la réglementation et respecte ses obligations

David Stevens, Président de l’APD commente : « La protection des données personnelles est à la fois un état d’esprit et une pratique : le responsable du traitement doit toujours poser un regard critique sur l’utilisation qu’il souhaite faire des données à sa disposition. »

To read the full decision in Dutch, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

21 May 2019

The State Data Protection Inspectorate has imposed an administrative fine in the amount of EUR 61,500 for the breaches of the General Data Protection Regulation. The sanctions were imposed on MisterTango UAB for the breaches of Articles 5, 32 and 33 of the afore-mentioned Regulation, i.e. the personal data breach in the payment initiation service system which, inter alia, has also not been reported to the supervisory authority. In the opinion of the Inspectorate, the start of imposing fines under the General Data Protection Regulation should be a significant signal to other companies which only declaratively comply with the provisions of the above legal acts.

The State Data Protection Inspectorate (Inspectorate) carried out an investigation and imposed a fine taking into account the received information on the personal data of bank customers which was made public and the possibly committed personal data breach at MisterTango UAB. The company operates internationally and provides payment services to the residents and companies of Lithuania and to foreign residents and companies. It has established a branch in Latvia, provided services in other countries. The Lithuanian supervisory authority which has coordinated its decision with the Latvian personal data protection supervisory institution according to the provisions of the General Data Protection Regulation (GDPR) had the opportunity to receive a confirmation of the correctness of the made conclusions from its colleagues. This case also shows that companies should pay more attention to the management of data breaches and cooperation with the supervisory authority in the course of the investigations.

Having carried out the investigation, the Inspectorate has determined that the company breached the requirements of the GDPR as it improperly processed personal data in screenshots (SS), made personal data publicly available and failed to report the personal data breach to the personal data protection supervisory authority.

Regarding improper processing of personal data. In the light of the information collected during the investigation and the provided clarifications, it has been determined that MisterTango UAB processes (accesses, collects) more personal data than it indicates as necessary for effecting of the payment initiated by the payer itself. The Inspectorate considers that, for the purposes of implementation of the data minimisation principle, only such data as the name, surname and, if the payer wishes, his/her identification code, bank account number, currency and balance, purpose of the payment/payment code necessary for effecting the payment should be collected. However, in addition to the afore-mentioned data, the company also collected such data as dates of provision of not reviewed electronic invoices, names of the senders and amounts; dates, topics of submission of not read notifications and a part of the text of the notification; purposes, types, amounts of the loans; names of the pension funds, accumulated units, value thereof, accumulated amounts; types of credits (e.g. mortgage credit), due balances, amounts and dates of other payments, numbers of the issued payment cards and amounts in such payment cards which should be considered as superfluous data. Furthermore, it has been determined that the company stores such data longer than it has established and indicated as necessary by itself, i.e. the data provided during the investigation suggests that the data was stored for 216 days instead of 10 minutes. According to Article 5 of the GDPR, the company shall be responsible for and be able to demonstrate compliance with the principle of accountability; nevertheless, the company failed to provide sufficient evidence to the supervisory authority during the investigation.

Regarding the publicity of personal data. During the investigation it has been determined than the website with the list of payments processed by MisterTango UAB were visible for more than 2 days (9-10 July 2018). The payments made by the customers of different bank institutions through the payment initiation service system of MisterTango UAB and personal data of such customers were made public. Besides, more than 9,000 SSs with the pages of details of the payment sessions of the customers of 12 different banks in different countries were made publicly available. Furthermore, it has been determined that management, installation and maintenance of the IT infrastructure (hardware and software) of MisterTango UAB were carried out by one employee. One employee fulfilled the contradictory functions. Consequently, proper minimisation of possible unauthorised or unintentional modifications and implementation of proper personal data protection policy were not ensured. Thus, MisterTango UAB has failed to choose the appropriate technical or organisational measures which would help to ensure a level of security appropriate to the risk, including protection against unlawful processing, disclosure, thus, breaching Articles 5 and 32 of the GDPR.

Regarding the failure to give the notification of the personal data breach. According to the GDPR, an incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed shall be a personal data breach. From the point of view of the Inspectorate, the afore-mentioned incident where unauthorised persons were granted access to personal data in the Internet for 2 days should be considered as a data breach which must be reported to the supervisory authority. Therefore, MisterTango UAB was obliged to without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data breach, notify the personal data breach to the Inspectorate. As MisterTango has failed to notify the Inspectorate of the breach, it breached Article 33 of the GDPR.

When deciding on the amount of the administrative fine, the Inspectorate took into account all circumstances relevant to extending liability to MisterTango UAB, for example, that the company processed the personal data in a non-transparent manner, to a greater extent and longer than necessary for achievement of the purpose of the processing; the unlawful processing was done systematically; it failed to ensure security of the personal data at the moment of the personal data breach, failed to report the personal data breach which has occurred and which had an impact on the personal data allowing to directly identify the data subject to the supervisory authority; furthermore, the data constituted the banking secrecy and was processed without encryption and during the period of the personal data breach the data was processed without ensuring control of access to such data. When imposing the administrative fine in the amount of EUR 61,500 on the company, the total annual worldwide turnover of the company was taken into account. The decision of the Inspectorate is not effective and may be appealed against to the court.

According to the data available to the Inspectorate, France, Spain, Germany, Poland, Austria, Bulgaria, Cyprus, Malta have already imposed significant fines under the GDPR.

For further information, please contact the Lithuanian supervisory authority: ada@ada.lt

24 April 2019
Two cases concerning Svea Ekonomi, a financial credit company, have been processed at the Office of the Data Protection Ombudsman. As a result, the Data Protection Ombudsman has ordered the company to correct its practices in the processing of personal data related to the assessment of creditworthiness, the right of inspect one’s own personal data and notification practices.

One of the cases concerning Svea Ekonomi has been processed at the Office of the Data Protection Ombudsman as a complaint made by a single data subject. It concerned the personal data used to assess creditworthiness and the data subject's right to inspect data concerning them. Furthermore, the Office of the Data Protection Ombudsman began to process the matter concerning the company's notification practices upon its own initiative.

 

In its decision, the Data Protection Ombudsman stated that the use of a categorical upper age limit in assessing creditworthiness is not acceptable under the definition of credit information set out in the Credit Information Act. The mere age of the credit applicant does not describe their solvency, willingness to pay or ability to deal with their commitments. Based on the account submitted by the company, the credit applicant's financial position has not been taken into consideration at all in the automatic processing of the credit application.

 

The Data Protection Ombudsman also pointed out that the company's on-line credit decision service should be considered automatic decision-making of the kind referred to in Article 22 of the General Data Protection Regulation, in which the decision is essential in order to conclude or implement an agreement between the company and the credit applicant.

 

In its decision, the Data Protection Ombudsman ordered that Svea Ekonomi to change the processing of personal data related to assessing creditworthiness. The company must also provide the private person having complained about the matter with information on the logic employed in automatic decision-making, its role in making the credit decision as well as its consequences for the credit applicant.

 

The procedure employed by Svea Ekonomi for assessing  creditworthiness was also processed at the National Non-Discrimination and Equality Tribunal, which in its decision 216/2017, dated 21 March 2018, prohibited the company from repeating a procedure that is against the Equality Act and the Non-Discrimination Act.

 

The Office of the Data Protection Ombudsman has also investigated Svea Ekonomi's notification practices related to the automatic decision-making system used to assess creditworthiness. The Data Protection Ombudsman stated that the current notification practices do not sufficiently specify the logic of data processing so that the credit applicant could understand the grounds for the decision and ordered that such notification practices be changed.

 

Based on the Data Protection Ombudsman's decision, Svea Ekonomi must notify by 30 April 2019 how it has changed its processing of personal data. According to the Office of the Data Protection Ombudsman, Svea Ekonomi has not applied for change in the decision, so the decision is legally enforceable.

 

Further information:
Data Protection Ombudsman Reijo Aarnio, tel. +358 40 520 7068, reijo.aarnio(at)om.fi
26 March 2019

The President of the Personal Data Protection Office (UODO) imposed its first fine for the amount of PLN 943 000 (around €220 000) for the failure to fulfil the information obligation.

 -“The controller was aware of its obligation to provide information. Hence the decision to impose a fine of this amount on this entity", emphasised Dr Edyta Bielak-Jomaa, President of UODO.

Many people whose data were processed by the company were not aware of this. The controller did not inform them about the processing and thus deprived them of the possibility to exercise their rights under the General Data Protection Regulation (GDPR). Therefore, they had no possibility to object to further processing of their data, to request their rectification or erasure. The President of the Personal Data Protection Office considered the breach to be serious, since it concerns the fundamental rights and freedoms of persons, whose data are processed by the company and relates to the basic issue – the information on the processing of data. Imposing the fine is necessary, because the controller does not comply with the law.

As Piotr Drobek, Director of the Analysis and Strategy Department at UODO, explained- the company did not meet the information obligation in relation to over 6 million people.  Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data. This shows how important it is to properly fulfil the information obligations in order to exercise the rights we are entitled to in accordance with the GDPR.  

The decision of the UODO’s President concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website.

In the opinion of the President of the Personal Data Protection Office, such action was insufficient – while having the contact data to particular persons, the controller should have fulfilled the information obligation in relation to them, that is it should have informed them inter alia on: their data, the source of their data, the purpose and the period of the planned data processing, as well as the data subjects’ rights under the GDPR.

In the opinion of the UODO’s President, the provisions do not impose an obligation on the controller to send such correspondence by registered mail, which was raised by the company as an excuse for not fulfilling an expensive obligation.

In the relevant case, the entity had postal addresses and telephone numbers and could therefore comply with the obligation to provide information to the persons whose data are being processed. Therefore, this case should be distinguished from another case decided by the Polish DPA a few years ago, when another company did not have such addresses at its disposal.

The President of the Personal Data Protection Office  found that the infringement of the controller was intentional, because - as it was established during the proceedings - the company was aware of the obligation to provide relevant information, as well as the need to directly inform persons.

While imposing the fine, the authority also took into account the fact that the controller did not take any action to put an end to the infringement, nor did it declare its intention to do so.

For further information, please contact the Polish Supervisory Authority: kancelaria@uodo.gov.pl / zwme@uodo.gov.pl

25 March 2019

The Danish Data Protection Agency has issued a statement declaring that it proposes to fine Taxa 4x35 for a total of DKK 1. 2 million for a breach of the GDPR.

Taxa 4x35 could be fined for failure to delete customers’ data. This is the first time that the Danish Data Protection Agency proposes a fine in accordance with the rules of the GDPR.

8.873.333 taxi trips
In the autumn of 2018, the Danish Data Protection Agency inspected the Danish taxi company Taxa35. According to Taxa 4x35, personal data used for booking and settlement of the taxi service are made anonymous after two years, since there is no longer a need to identify the customer.

However, only the customer’s name is deleted after these two years, but not the phone number. Therefore, information on the customer’s taxi trip (including addresses) can still be traced to the customer via the phone number, which is not deleted until five years have passed. At the time of the inspection, 8.873.333 personal data records were found for taxi trips older than two years.

Assessment by the Danish Data Protection Authority
The reason why the phone number is not deleted is, according to the taxi company, that the number is key to the system’s database and is therefore necessary in relation to the company’s product and business development.

According to the Danish Data Protection Authority, however, it is not acceptable to store personal data three years longer than necessary, only because the company’s system makes compliance with the GDPR burdensome.

“We have opted for a fine in this case. This is due to the fact that there are very large amounts of personal data which have been stored without an objective purpose. One of the basic principles in the field of data protection is that you only store the information you need — and when you do not need it anymore, it must be deleted immediately,” says the Danish DPA’s director Cristina Angela Gulisano.

Next steps
In most European countries, national data supervisors themselves can issue administrative fines, but the rules are different in Estonia and Denmark. After having examined and assessed the case, the DPA transfers the case to the police. The police will then examine whether there is a basis for a charge etc. and, finally, any financial penalty will be settled before a court.

Read the full press release in Danish here

For further information, please contact the Danish DPA: dt@datatilsynet.dk

21 March 2019

The NAIH received a public notice regarding a webpage http://web.dkp.hu operated by a Hungarian parliamentary party, Democratic Coalition (DK). In the public notice the NAIH was informed by a Hungarian citizen, that the database containing personal data of the party’s supporters is openly accessible via an anonymous hacker forum. The database contains the users’ e-mail addresses, users’ full names, their login names and the weakly encrypted (MD5) passwords. The database became accessible on the hacker forum, when an unknown attacker due to SQLi vulnerability of the webpage reached it, then he uploaded the data on the internet. DK was aware of the data breach, because the hacker informed them as well. The party yet did not notice the NAIH of the breach, nor informed the data subjects, pursuant to Article 33-34 of the GDPR.

The NAIH launched an administrative control procedure, which led into a data protection administrative procedure regarding to Article 9 (1) and Article 33 (1) of the GDPR and the Hungarian Privacy Act Section 60 (1).

DK was on the opinion during the whole procedure that they are not obliged to notify the supervisory authority and the data subjects, because the leaked database contained only out-of-date personal data of the members and sympathizers of the party which has not been updated for years.

NAIH pointed out in its resolution that it is irrelevant regarding the risk of the data breach that the leaked data has not been updated for a long time. The breach is still considered as a high risk incident, because it affected data of real natural persons who are / could be still members or sympathizers of the political party. Therefore the NAIH considered as aggravating circumstance regarding the risk of the breach that the concerned data are special categories of personal data revealing political opinions of data subjects. Moreover, DK used an out-of-date encryption technology (MD5) regarding the passwords that can cause also a serious risk to the rights and freedoms of individuals, because the public availability of such information can lead to other breaches of online services used by the data subject.

NAIH issued an administrative fine of 11 million HUF (~ 35 000 €) to DK for violating the provisions Article 33-34 of the GDPR because DK did not notify the high risk personal data breach to the supervisory authority and did not communicate it to the approximately 6000 data subjects despite being aware of it.

The decision of the NAIH is available in Hungarian at https://www.naih.hu/files/NAIH-2019-2668-hatarozat.pdf

For further information, please contact the NAIH directly: ugyfelszolgalat@naih.hu

20 March 2019

A decision by the Italian Garante issued on 20 December 2018 set out the conditions for the Italian Revenue Agency to start processing activities under the new e-invoicing legislation that came into force on 1 January 2019 – whereby e-invoices will have to be issued for all payment transactions between suppliers of goods and services as well as between suppliers and consumers of those goods and services.

The December 20 Decision followed a previous decision by the Garante of 16 November 2018 where several criticalities had been highlighted in terms of data protection compatibility of the implementing mechanisms envisaged by the Agency. The November decision had led the Garante actually to issuing its first-ever ‘warning’, by relying on the new powers set out in Article 58 of the EU GDPR. The warning was addressed to the Revenue Agency to point out the ‘major criticalities related to the systematic, generalised, detailed processing of personal data on a large scale’ envisaged by the Agency, which was requested by the Garante to clarify how they planned to bring the relevant processing operations into line with the Italian and European legal framework.

An ad-hoc working party was set up by the Agency with the Garante and the Ministry of economics and finance to tackle and do away with those criticalities, involving additional stakeholders such as the National Council of Chartered Accountants and Accounting Experts, the National Council of Occupational Consultants, and the Association of Producers of Management and Accounting Software (AssoSoftware).

The working party dealt with the shortcomings pointed out by the Garante in its November decision, which were  multifarious in nature. Indeed, the Revenue Agency had planned to store and make available, on its web portal, all e-invoicing files in full (about 2.1 billion in 2017), but those files include detailed information on the purchased goods and services that is per se irrelevant for taxation purposes. On the other hand, that information can disclose consumption patterns in the most diverse areas  ranging from utilities and telecoms to transportation (highway tolls, flight tickets, hotel bookings) up to legal and health care services (where the e-invoice includes references to criminal or other proceedings or the medical diagnosis performed on a given patient undergoing treatment). This was found to be disproportionate compared to the public interest purpose the new legislation was intended to achieve.

The revised e-invoicing system envisages storage by the Agency of only the data required for the automated checks the Agency is called upon to perform for taxation purposes – e.g., in terms of consistency between e-invoicing data and the information held by the Agency on a given taxpayer; no information describing the purchased goods or services will be stored. Additionally, no e-invoices will have to be issued for health care services or goods. Storage of and access to the full contents of e-invoices will only be possible (after the initial implementing period) on the taxpayer’s specific request and based on agreements for which the Garante’s green light will be necessary.

Two additional major criticalities had been detected by the Garante, who had warned the Agency of the need to remedy them prior to the final roll-out of the system. One had to do with the role played by the intermediaries taxpayers may rely on for transmitting, receiving and storing their e-invoices; since those intermediaries may  happen to provide their services to several companies and entities at the same time, there is an increased risk of data leaks or misuse due to cross-referencing and combination of huge amounts of information. Secondly, there were several IT security risks in the system, starting from the lack of data encryption mechanisms especially for the e-invoices transmitted via ‘certified’ emailing systems, which the Garante had urged the Agency to address.

Those additional criticalities were remedied in part by the working group and the Garante called upon the Agency in December to make further efforts in that direction. In particular, the Agency will have to carry out an additional data protection impact assessment exercise by the 15th of April this year, pursuant to Article 35 of the GDPR. The Garante had already emphasized that the Agency should have taken care to carry out a DPIA prior to submitting the e-invoicing project to the Garante’s scrutiny, in line with the requirements for a data protection by design approach that is set forth in the GDPR; indeed, the Garante had pointed out that such a requirement was already envisaged in the pre-GDPR legislation under the ‘prior checking’ umbrella.

For Further information, please contact the Italian SA directly: garante@garanteprivacy.it

19 March 2019

The Norwegian Data Protection Authority (Datatilsynet) has imposed an administrative fine of 1.6 million Norwegian kroner, or the equivalent of €170,000, on the Municipality of Bergen.
The incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. The user accounts related to both pupils in the municipality’s primary schools, and to the employees of the same schools. Due to insufficient security measures, these files have been unprotected and openly accessible. The lack of security measures in the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools.

Inadequate Data Security
Datatilsynet found that the municipality’s lack of appropriate measures to protect the personal data in the computer file systems constituted violations of both art. 5(1)f and art. 32 GDPR. Consequently the supervisory authority issued an administrative decision, imposing a fine of 170,000 € on the municipality.
- The security in the login system has been so poor, that unauthorized persons could get access to usernames and passwords in the learning platform and in the school’s administrative systems, says director Bjørn Erik Thon.

The system in question contains information about a user’s name, password, date of birth, address, school affiliation and school grade. When employees and pupils log in, they get access to various systems, for instance the central digital learning platform, which contains the pupils’ schoolwork and the teachers’ evaluations of each individual pupil’s performance at school.

Personal data of 35 000 individuals, primarily children

The fact that the security breach encompasses personal data to over 35 000 individuals, and that the majority of these are children, were considered to be aggravating factors. The municipality had also been warned several times, both by the authority and an internal whistleblower, that the data security was inadequate.

- In the GDPR, children are defined as a particularly vulnerable group that shall be given special protection. It is important that municipalities and other public bodies that process personal data are aware of their responsibilities. Public authorities often process information about us that we do not control, neither do we have a choice in whether or not this information is made available to others. We should be able to trust the public sector, says director Bjørn Erik Thon.

The GDPR stipulates that administrative fines shall be effective, dissuasive and proportionate, and Datatilsynet is of the opinion that the size of the fine reflects this. The Norwegian Personal Data Act sets out that all Norwegian public authorities are subject to the provisions on administrative fines in art. 83 GDPR.  
Datatilsynet made its decision in March 2019, and on the 4th of April 2019, the municipality stated in a press conference that it did not wish to appeal the decision.

You can read the full press release in Norwegian here

For further information, please contact the Norwegian DPA: postkasse@datatilsynet.no

20 February 2019

The Commissioner has today issued his decision to the Lands Authority after concluding the investigation of the data breach, that was brought to his attention by the Times of Malta on 23rd November 2018.  The findings of the investigation established that the online application platform available on the Authority’s portal lacked the necessary technical and organisational measures to ensure the security of processing.  The Lands Authority was found to have infringed the provisions of Article 32 of the General Data Protection Regulation (GDPR) and, in terms of Article 21 of the Data Protection Act (CAP. 586), was served with an administrative fine of €5,000. The level of the fine was reached after the Commissioner took into account the circumstances set out under Article 83.2 of the GDPR.

The temporary ban imposed on the Authority’s portal has been lifted.

The Lands Authority offered their full and unrestricted collaboration to the Commissioner during the course of the entire investigation.    

You can read the original press release here

For further information, please contact the Maltese Supervisory Authority: idpc.info@idpc.org.mt

12 February 2019

Summary
The Austrian Data Protection Authority has finalised its investigation into the Austrian Post (Österreichische Post AG) and issued a decision stating the Austrian Post has violated several provisions of the GDPR.

Specifically, the Austrian DPA is of the opinion that the Austrian Post processes special categories of personal data (political opinions) by attributing preferences for certain political parties to data subjects by using statistical calculation methods. In the absence of explicit consent given by the data subjects concerned and in the absence of any other legal basis for processing these data the Austrian DPA found this to be contradictory to the GDPR.

Furthermore, the Austrian DPA found that the DPIA for this kind of processing and the record of processing activities were erroneous.

Consequently, the Austrian DPA imposed an immediate ban on these processing operations, ordered the erasure of the data and ordered the Austrian Post to carry out a new DPIA and to rectify its record of processing.

The decision is not final and will be challenged before the Federal Administrative Court.

Datenschutzbehörde beendet Prüfverfahren gegen Post und stellt Rechtsverletzungen fest

Wien (OTS) - Die Datenschutzbehörde hat die Berichte, wonach die Österreichische Post Aktiengesellschaft (Post) Daten zur Parteiaffinität verarbeite, zum Anlass genommen, ein amtswegiges Prüfverfahren einzuleiten.

Das Prüfverfahren hat hervorgebracht, dass die Post tatsächlich im Rahmen des Gewerbes "Adressverlage und Direktmarketingunternehmen" mittels statistischer Verfahren u.a. die Parteiaffinitäten von Personen ermittelt.

Die Datenschutzbehörde hat festgestellt, dass diese Daten ohne Einwilligung der betroffenen Personen nicht verarbeitet werden dürfen. Es wurde angeordnet, diese Datenverarbeitung mit sofortiger Wirkung zu unterlassen und die Daten zu löschen, sofern im Einzelfall kein Grund für eine weitere Verarbeitung gegeben ist. Dies könnte insbesondere der Fall sein, wenn es um die Bearbeitung von Auskunftsersuchen geht oder tatsächlich eine Einwilligung zur Verarbeitung vorliegt.

Darüber hinaus stellte die Datenschutzbehörde fest, dass die Datenschutz-Folgenabschätzung für diese Datenverarbeitung und der Eintrag in das interne Verzeichnis der Verarbeitungstätigkeiten mangelhaft sind. Es wurde angeordnet, die Datenschutz-Folgenabschätzung zu wiederholen und den Eintrag richtigzustellen.

For more information, please contact the Austrian supervisory authority at dsb@dsb.gv.at 

31 January 2019

The Hellenic DPA, in order to a) explore the level of compliance with the General Data Protection Regulation (GDPR) -six months after its entry into force- and the specific legislation on e-privacy, b) raise the awareness of data controllers and data subjects, and also c) exercise its envisaged powers, has carried out the following “ex officio” investigation, which was initiated in December 2018 and is ongoing:

More particularly, the Hellenic DPA carried out an investigation to 65 controllers operating online in the fields of financial services, insurance services, e-commerce, ticket services and public sector services, for exploring the way specific requirements are met in the areas of transparency, the use of cookies, the sending of online messages and the security of websites through indicative checkpoints, perceived to the citizen in their navigation and the use of internet services.

  1. The initial conclusions that were drawn as a result of this initiative highlight, in general, the lack of compliance with the legislation on cookies and relevant technologies in almost all the controllers.
  2. There was also a lack of information on the processing operations and the recipients of the data at around 40% of the controllers. It is worth noting that the public sector lags behind in compliance, mainly with regard to transparency, in almost all of the organizations that were investigated.
  3. On the contrary, at a high percentage of more than 80% of data controllers, a satisfactory level of security was observed.
  4. Furthermore, a sufficient degree, more than 70%, of Data Protection Officers’ designation was noted in the private sector.

On the basis of the final conclusions of this first large-scale investigation to check compliance, after the entry into force of the Regulation, the DPA will exercise its powers that are envisaged by the pertinent provisions.

The investigation was presented in the Authority’s recent Information Day on the occasion of the 13th European Data Protection Day on January 28th and is available in Greek at www.dpa.gr  (http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/EUROPEAN_DP_DAY_GENERAL/2019_DP_DAY/FILES%202018/PANAGOPOULOU_G.PDF).

For further questions, please contact the Hellenic Data Protection Authority: contact@dpa.gr

21 January 2019

On 21 January 2019, the CNIL’s restricted committee imposed a financial penalty of 50 Million euros against the company GOOGLE LLC, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.

On 25 and 28 May 2018, the National Data Protection Commission (CNIL) received group complaints from the associations None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). LQDN was mandated by 10 000 people to refer the matter to the CNIL. In the two complaints, the associations reproach GOOGLE for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes.

The handling of the complaints by the CNIL

The CNIL immediately started investigating the complaints. On 1st June 2018, in accordance with the provisions on European cooperation as defined in the General Data Protection Regulation (“GDPR”), the CNIL sent these two complaints to its European counterparts to assess if it was competent to deal with them. Indeed, the GDPR establishes a “one-stop-shop mechanism” which provides that an organization set up in the European Union shall have only one interlocutor, which is the Data Protection Authority (“DPA”) of the country where its “main establishment” is located. This authority serves as “lead authority”. It must therefore coordinate the cooperation between the other Data Protection Authorities before taking any decision about a cross-border processing carried out by the company.

In this case, the discussions with the other authorities, in particular with the Irish DPA, where GOOGLE’s European headquarters are situated, did not allow to consider that GOOGLE had a main establishment in the European Union. Indeed, when the CNIL initiated proceedings, the Irish establishment did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by GOOGLE LLC, in relation to the creation of an account during the configuration of a mobile phone.

As the “one-stop-shop mechanism” was not applicable, the CNIL was competent to take any decision regarding processing operations carried out by GOOGLE LLC, as were the other DPA. The CNIL implemented the new European Framework as interpreted by all European authorities in the European Data Protection Board’s (EDPB) guidelines.

In order to deal with the complaints received, the CNIL carried out online inspections in September 2018. The aim was to verify the compliance of the processing operations implemented by GOOGLE with the French Data Protection Act and the GDPR by analysing the browsing pattern of a user and the documents he or she can have access, when creating a GOOGLE account during the configuration of a mobile equipment using Android.

The violations observed by the restricted committee

On the basis of the inspections carried out, the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act observed two types of breaches of the GDPR.

A violation of the obligations of transparency and information:

First, the restricted committee notices that the information provided by GOOGLE is not easily accessible for users.

Indeed, the general structure of the information chosen by the company does not enable to comply with the Regulation. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated  across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service.

Moreover, the restricted committee observes that some information is not always clear nor comprehensive.

Users are not able to fully understand the extent of the processing operations carried out by GOOGLE. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined. The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes. Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. Finally, the restricted committee notices that the information about the retention period is not provided for some data.

A violation of the obligation to have a legal basis for ads personalization processing:

The company GOOGLE states that it obtains the user’s consent to process data for ads personalization purposes. However, the restricted committee considers that the consent is not validly obtained for two reasons.

First, the restricted committee observes that the users’ consent is not sufficiently informed.

The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined.

Then, the restricted committee observes that the collected consent is neither “specific” nor “unambiguous”.

When an account is created, the user can admittedly modify some options associated to the account by clicking on the button « More options », accessible above the button « Create Account ». It is notably possible to configure the display of personalized ads.

That does not mean that the GDPR is respected. Indeed, the user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked. However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance). Finally, before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.

The fine imposed by the restricted committee and its publicity

The CNIL restricted committee publicly imposes a financial penalty of 50 Million euros against GOOGLE.

This is the first time that the CNIL applies the new sanction limits provided by the GDPR. The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.

Despite the measures implemented by GOOGLE (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations. The restricted committee recalls that the extent of these processing operations in question imposes to enable the users to control their data and therefore to sufficiently inform them and allow them to validly consent.

Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.

Finally, taking into account the important place that the operating system Android has on the French market, thousands of French people create, every day, a GOOGLE account when using their smartphone. Furthermore, the restricted committee points out that the economic model of the company is partly based on the ads personalization. Therefore, it is of its utmost responsibility to comply with the obligations on the matter.

You can read the original press release here and in French here .

For further questions, please contact the CNIL directly: https://www.cnil.fr/en/contact-cnil