European Data Protection Board

National News

On this page you will find news on GDPR enforcement by the national supervisory authorities. The press releases gathered here do not constitute official EDPB communication nor an endorsement. They are published strictly for information purposes and are represented here as they appeared on the supervisory authority's website or other channels of communication. Therefore, these news items are only available in English or in the Member State's official language with a short introduction. Any questions regarding these news releases should be directed at the supervisory authority concerned. You can find all supervisory authorities here.

2020

14 October 2020

The Norwegian Data Protection Authority has given Bergen municipality a final decision on an administrative fine of approximately EUR 276,000 (3 million NOK). Personal information in the communication system between school and home was not secure enough.

In October 2019, the Data Protection Authority was notified of a personal data breach by Bergen Municipality regarding the municipality's new tool for communication between school and home. Vigilo contains a module where school and parents can communicate via a portal or app. The municipality had not established nor communicated the necessary guidelines to secure the personal information of children and parents with a confidential address before the tool was put to use.

This spring, the municipality was notified of the Data Protection Authority's intention to impose an administrative fine, and now the fine has been made final. 

- Bergen municipality has now received the final decision of an administrative fine of EUR 276,000, says Data Protection Authority Director-General Bjørn Erik Thon. The fee was imposed because the municipality had not implemented technical and organizational measures to achieve an adequate level of security, and for not having ensured confidentiality and integrity.


Danger to life and health

The decision emphasized that the municipality had not established nor communicated the necessary guidelines for information about children who have a clear interest in the information about them being processed with the highest degree of confidentiality.

- This applies to children who have registered a confidential or strictly confidential address in the National Register and who belong to a particularly vulnerable group. These children have a high need for protection, and in the extreme, life and health could have been in danger, says Thon.

Personal information that should have been confidential has instead been available to unauthorized persons. In one case, a contact list with information about "confidential address" was distributed to parents at a grade level.

- The risk assessments were inadequate. Among other things, there was no assessment of risk associated with information about relationships between parents and children, Thon emphasizes.

You can read the orional press release on the Norwegian DPA website in English here, and in Norwegian here.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
07 October 2020

The Facts

Three Belgian plaintiffs had lodged a complaint with the Belgian Data Protection Authority against a regional public environmental institution. This institution has the competence to take action in the case of a breach against environmental legislation, for example in the case of littering. The institution could for example fine a citizen when it finds unlawfully placed garbage containing letters with the name of that citizen. Such a fine had been issued to the first plaintiff. 

However, in the decision imposing the fine, the institution also referred to the civil partner of the first plaintiff, and the alleged father-in-law of the first plaintiff. The institution found the name of and the link to the civil partner (the second plaintiff) in the National Register of the first plaintiff. The alleged father-in-law (the third plaintiff) had communications with the institution in order to defend the first plaintiff in the environmental procedure initiated by the institution. The institution had concluded in its decision, based on the family name of the second and the third plaintiff, that there was a family connection between the two. 

Decision of the Litigation Chamber

The Litigation Chamber of the Belgian DPA upheld, among other things, that: 

-    the mentioning of the name of the second plaintiff, its link to the first plaintiff, as well as the alleged family link between the second and the third plaintiff, based on information retrieved from the National Register, constitutes unlawful processing (article 6.1 GDPR), as the legal ground for the processing activities in this specific context is deemed to be carrying out a task in the public interest (article 6.1.e. GDPR), and this processing in concreto  was not necessary to carry out the task (environmental enforcement in a decision to impose a fine to the first plaintiff) in the public interest; 

-    the mentioning that there is a family connection between the second and the third plaintiff could be incorrect, and is based on assumptions not necessary to mention in a decision by the institution in this concrete context, which means the personal data of all plaintiffs is not processed in accordance with the principles of accuracy and data minimisation (resp. article 5.1.d. and article 5.1.c. GDPR.), which means the institution breaches these GDPR-provisions. 
The Litigation Chamber issued a warning and reprimand to the institution in accordance with article 58.2.a. and 58.2.b GDPR. 
To be conclusive, it can be mentioned that the Litigation Chamber of the Belgian DPA cannot impose an administrative fine to a Belgian public institution or any other government body, as this was excluded by the Belgian legislator 

You can find the final decision in Dutch here.

For further information, please contact the Belgian DPA: contact@apd-gba.be 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
02 October 2020

The Hamburg Commissioner for Data Protection and Freedom of Information imposes a 35.3 Million Euro Fine for Data Protection Violations in H&M's Service Center

In a case concerning the monitoring of several hundred employees of the H&M Service Center in Nuremberg by its management, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has issued a fine of 35,258,707.95 Euros against H&M Hennes & Mauritz Online Shop A.B. & Co KG.

The company is registered in Hamburg and operates a service center in Nuremberg. Since at least 2014, parts of the workforce have been subject to extensive recording of details about their private lives. Corresponding notes were permanently stored on a network drive. After absences such as vacations and sick leave - even short absences - the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, in many cases not only the employees' concrete vacation experiences were recorded, but also symptoms of illness and diagnoses. In addition, some supervisors acquired a broad knowledge of their employees' private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs. Some of this knowledge was recorded, digitally stored and partly readable by up to 50 other managers throughout the company. The recordings were sometimes made with a high level of detail and recorded over greater periods of time documenting the development of these issues. In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment. The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.

This data collection was made known by the fact that the data became accessible company-wide for several hours in October 2019 due to a configuration error. After the Hamburg Commissioner for Data Protection and Freedom of Information was informed about the data collection through press reports, he first ordered the contents of the network drive to be "frozen" and then demanded it to be handed over. The company complied and submitted a data record of around 60 gigabytes for evaluation. Interrogations of numerous witnesses confirmed the documented practices after analyzing the data.

The discovery of the serious violations has prompted those responsible to take various corrective measures. The HmbBfDI was presented with a comprehensive concept how data protection is to be implemented at the Nuremberg site from now on. In order to come to terms with the past events, the company management has not only expressly apologized to those affected, it has also followed the suggestion to pay the employees a considerable compensation. This is an unprecedented acknowledgement of corporate responsibility following a data protection incident. Further elements of the newly introduced data protection concept include a newly appointed data protection coordinator, monthly data protection status updates, increasingly communicated whistleblower protection and a consistent concept for dealing with data subjects’ rights of access.

Prof. Dr. Johannes Caspar, Hamburg's Commissioner for Data Protection and Freedom of Information, comments: "This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is therefore adequate and effective to deter companies
from violating the privacy of their employees.

Management's efforts to compensate those affected on site and to restore confidence in the company as an employer have to be seen expressly positively. The transparent information provided by those responsible and the guarantee of financial compensation certainly show the intention to give the employees the respect and appreciation they deserve as dependent workers in their daily work for their company.

For more information, you can go The Hamburg Commissioner for Data Protection and Freedom of Information website here, or email them at mailbox@datenschutz.hamburg.de.

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

 

25 September 2020

Financial sanction on a company due to carrying out electronic direct marketing without prior consent as well as neglecting the rights of the data subject 


The sanctions board of the Finnish Data Protection Ombudsman has imposed an administrative fine on Acc Consulting Varsinais-Suomi (Independent Consulting Oy) for sending electronic direct marketing messages without prior consent as well as neglecting the rights of the data subject. The company did not respond to or implement the requests concerning the rights of data subjects, and it was not able to prove that it had processed personal data legally.


During the spring and summer of 2019, the Office of the Data Protection Ombudsman received eleven complaints on the electronic direct marketing of the company and the company neglecting the rights of the data subject in accordance with the General Data Protection Regulation (GDPR). The topics of direct marketing included various courses, such as hot work and asbestos removal.


Reprimand for the lack of consent for electronic direct marketing
In the complaints, the data subjects reported that they had received direct marketing messages from the company without consenting to it. According to section 200 of the Information Society Code (917/2014), direct marketing may only be directed at natural persons who have given their prior consent. According to Article 4(11) of the EU General Data Protection Regulation (GDPR), the consent must be a freely given, specific, informed and unambiguous indication of the data subject's wishes. 


Some of the data subjects have responded to the marketing message sent as an SMS as requested by the controller in order to prohibit direct marketing. Despite the prohibition, the data subjects have still received direct marketing messages from the controller. Therefore, the controller has failed to implement the data subjects’ right to object in accordance with the GDPR. 


In the controller’s view, it has targeted the electronic direct marketing at corporations, to which prior consent does not apply according to the Information Society Act. The controller has stated that the telephone numbers of data subjects were used by the company, in which the data subject works, and that these companies are within the scope of the controllers’ customer segment. 


However, the Deputy Data Protection Ombudsman states that before targeting the direct marketing, the controller should have separately determined the position of the person in question in the corporation and assessed especially whether the marketed courses were significantly linked to the person’s duties. Therefore, the direct marketing by the controller targeted at natural persons cannot be considered to be intended for a corporation, and the controller should have requested the consent of the data subject for the electronic direct marketing. 


The controller has been given a reprimand after it processed personal data without the consent required by the GDPR. In addition, the Deputy Data Protection Ombudsman obliges the controller to correct its operating methods with regard to direct marketing targeted at corporations.


Neglecting the rights of the data subject and failure to comply with accountability
In addition, in some of the complaints, the data subjects had made requests concerning their rights in accordance with the GDPR. However, the controller did not respond to the requests without undue delay and within one month of receiving the request at maximum, as required by the GDPR. The controller has not implemented any requests related to these rights, either. 


According to the Deputy Data Protection Ombudsman, the controller does not seem to have organised its operating methods in processing personal data in such a way that the controller would be able to tell if it has implemented the rights of the data subjects or received requests related to the rights. The Deputy Data Protection Ombudsman states that as a result, the controller was not able to prove that it had processed personal data legally. 


The Deputy Data Protection Ombudsman gave the company a reprimand for neglecting the rights of the data subject and failing to implement them. The Deputy Data Protection Ombudsman also ordered the company to change its operating methods and implement the rights of the data subject in accordance with the GDPR.


A financial sanction was imposed on the company
The sanctions board of the Office of the Data Protection Ombudsman imposed a financial sanction of EUR 7,000 in addition to the corrective measures mentioned above. The sanctions board considers the sanction to be proportionate and function as an effective deterrent with regard to the nature of the offences.


The intentional nature of the act, the number of similar offences over a short period of time, the disinterest of the controller in cooperating with the supervisory authority and the fact that the controller has not demonstrated that it has implemented corrective measures with regard to direct marketing and the realisation of the rights of the data subjects while the matter is being resolved have been taken into account as aggravating factors in the decision. 


As a mitigating factor for the amount of the financial sanction, it has been taken into account that during the preparation of the case, it has not been found that the data subjects would have suffered financial or other material damage.


The decisions of the Deputy Data Protection Ombudsman and sanctions board are not yet final and are open to appeal in the administrative court.

 

You can read the decision of the sanctions board on electronic direct marketing and the rights of the data subject in accordance with the GDPR in Finlex (in Finnish) here.
You can read the decisions of the Deputy Data Protection Ombudsman are published in Finlex (in Finnish) here.


The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.

For further information, please contact the Finnish DPA: tietosuoja@om.fi

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
17 September 2020

The Norwegian Data Protection Authority has issued the Norwegian Public Roads Administration a fine of 37,400 EUR (400 000 NOK) for processing personal data for purposes that were incompatible with the originally stated purposes, and for not erasing video recordings after 7 days. 


The background of the fine is the extensive processing of personal data by using fixed road cameras to monitor contract parties, employees, subvendors and the subvendors’ employees. 


The usage of such photos for documenting breaches of contract several months after the incidents took place, is incompatible with the original purpose, which was to make possible immediate security measures. It is therefore not allowed to use these video recordings to follow up contracts. 


When evaluating whether this usage of the video recordings was compatible with the originally stated purpose, the Norwegian Data Protection Authority has emphasized that the new usage is at considerable disadvantage to the contract parties and its employees, and that it is in conflict with how the contract parties can expect the personal data to be used. 

You can read the origional press release on the Norwegian DPA's website in English here, and in Norwegian here.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
11 September 2020

The President of the Personal Data Protection Office, after  having found a personal data breach by the Warsaw University of Life Sciences (SGGW), imposed a fine on this entity in the amount of PLN 50 000.


Let us remind you that in November 2019 the President of the UODO received a notification of breach of personal data of candidates for studies at SGGW. The notification was related to the theft of a portable private computer of the university employee, who used this device also for business purposes, including the processing of personal data of candidates for studies at SGGW for the purposes of recruitment activities. After an inspection carried out at the university in connection with a data breach, the President of the UODO instituted ex officio administrative proceedings.


On the basis of the evidence collected during the proceedings, the President of the UODO imposed an administrative fine on the university. In deciding on the amount of the fine, the supervisory authority took into account that the personal data breach concerned candidates for studies at SGGW for the last five years, covered a wide range of data and that the number of persons affected could be up to 100 (upper limit). It was also important for establishing the amount of the fine that the controller had no knowledge of the processing of personal data on the employee’s private computer, nor did it control the processing of data by failing to verify on which media the personal data of candidates for studies collected from the IT system were processed and by failing to record this operation in the IT system. The above circumstances indicate a breach of the principle of confidentiality and accountability specified in the GDPR.


It is worth noting that the personal data of candidates for studies from five years of recruitment were processed, which was non-compliant with the prescribed period of storage of personal data of candidates for studies, which was specified in SGGW as three months after completion of the recruitment process. This constitutes a breach of the principle of storage limitation provided for in the GDPR.


Moreover, in the course of the conducted proceedings it was established that the university had not implemented appropriate organisational and technical measures to ensure the security of the processing of personal data of candidates for studies.


It is the controller’s obligation to implement appropriate technical and organisational measures to ensure the security of the data processed. They should be reviewed and updated on an ongoing basis to existing legislation and changing technology. It should be noted here that the establishment of appropriate technical and organisational measures is a two-step process. First of all, it is important to identify the level of risk associated with the processing of personal data. Then it is necessary to establish which technical and organisational measures will be appropriate to ensure a level of security appropriate to this risk. Those arrangements should include measures such as the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.


In the opinion of the supervisory authority, the measures taken by the university including the processing of data of candidates for studies were insufficient.


At the same time, the President of the UODO stated that in the case concerned the Data Protection Officer (DPO) performed its tasks without having due regard to the risk associated with processing operations. The appointed Data Protection Officer was not involved by the university in the recruitment process for studies covering the functioning of the IT system intended for this activity. The involvement of a DPO could reduce the risk of inappropriate processing.


When imposing a fine, the President of the UODO took into account attenuating circumstances, such as: good cooperation with the supervisory authority both in the course of the inspection and during the administrative proceedings, taking action by the university to remedy the infringement and ensure security in the processing of data in the future.


To read the press release is Polish, click here.
To read the full decision in Polish, click here.

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl​​​​​​​

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
08 September 2020

The Nemzeti Adatvédelmi és Információszabadság Hatóság (Hungarian National Authority for Data Protection and Freedom of Information, hereinafter: Authority) imposed a total of 4.5 million forints in data protection fines on Mediarey Hungary Services Zrt. (hereinafter: Publisher), the publisher of the Hungarian Forbes magazine in two cases.


NAIH/2020/1154

The Authority established in its decision No. NAIH/2020/1154/9 of 23 July 2020 that by not carrying out proper interest assessment in relation to the printed and the on-line versions of the Forbes publication containing the largest family undertakings published in September 2019 and the printed and the on-line versions of the Forbes publication containing the 50 richest Hungarians published in January 2020, and by failing to inform the Complainants (the data subjects) in advance about the results of comparing the legitimate interests of its own and of a third party (the public) and of the Complainants, the Publisher infringed Article 6(1)(f) of the General Data Protection Regulation. 

Furthermore, the Authority established that by not providing adequate information to the Complainants about all the essential circumstances of data processing and of the right of the Complainants to object to the processing of their personal data, and by failing to provide information on the possibilities of the Complainants to enforce their rights in its response to the requests of Complainants to exercise their rights as data subjects , the Publisher infringed Article 5(1)(a), Article 5(2), Article 12(1) and (4), Article 14, Article 15 and Article 21(4) of the General Data Protection Regulation.


NAIH/2020/838

The Authority established in its decision No. NAIH/2020/838/2 of 23 July 2020 that by not carrying out proper interest assessment in relation to the printed and the on-line versions of the Forbes publication containing the largest family undertakings published in January 2019 and the printed and the on-line versions of the Forbes publication containing the 50 richest Hungarians published in September 2019 and by failing to inform the Complainants (the data subjects) of the results of comparing the legitimate interests of its own and of a third party (the public) and of the Complainants, the Publisher infringed Article 6(1)(f) of the General Data Protection Regulation.

Furthermore, the Authority established that by not providing adequate information on all the essential circumstances of processing to the Complainants and about the Complainants rights to object to the processing of their personal data and in spite of the information it learned it failed to demonstrate after the objection that the data processing was justified by legitimate reasons of compelling force overriding the interests, rights and freedoms of the Complainants and in its responses to the Complainants’ requests aimed at exercising their rights as data subjects, the Publisher infringed Article 5(1)(a), Article 5(2), Article 12(1) and (4), Article 14 and Article 21(1) and (4) of the General Data Protection Regulation.

Because of the infringements established, the Authority reprimanded the Publisher in both cases and at the same time ordered it 
-    to meet its obligation to provide information to the Complainants in relation to the data processing, including information concerning the interests of the Publisher, as well as of Complainants considered in the course of interest assessment and the result of the interest assessment, the information on the right to object and the information concerning possibilities of the enforcement of rights;
-    to carry out the interest assessment including the second individual interest assessment following the objection in accordance with the legal regulations and these decisions, if in the course of data processing envisaged in the future, the Publisher intends to use legitimate interest as the legal basis;
-    to modify its practices related to providing information in advance in accordance with the legal regulations in force and the provisions of these decisions.

Because of the established infringements, the Authority imposed a data protection fine of 2 million forints in its decision NAIH/2020/1154/9 and 2.5 million forints in its decision NAIH/2020/838/2 on the Publisher.

The reason for the difference in the amounts of the fines is that despite the fact that the Publisher was aware of the specific circumstances of the Complainants in the case constituting the subject matter of decision NAIH/2020/838/2, the Publisher failed to carry out an individual interest assessment, the result of which would have demonstrated that data processing was justified by legitimate reasons of compelling force overriding the interests, rights and freedoms of the Complainants even after the objection by the Complainants.

The Authority did not arrive at a position that it was not at all possible to make lists of businessmen and companies and reports on them in this form. Forbes may compile lists on the basis of business data accessible to the public, but the publication of the lists is subject to the stringent requirements of the General Data Protection Regulation and the Publisher as controller must comply with these requirements.

The Authority supports the practice present also in the Hungarian market, according to which the various rich lists or publications listing the richest Hungarians do not in all cases include the name of the data subject and/or an entry on the data subject provided that it has sufficiently grounded reasons, and they display a single letter instead of the full name, and minimal information instead of the entry presenting the activities of the data subject (e.g. the name of the given industry, the magnitude of the assets associated with the data subject) following the well-grounded objection by the data subject.

A petition for review was submitted to the Fővárosi Törvényszék (Budapest Tribunal) by the Publisher against decision NAIH/2020/838/2 and by both parties against decision NAIH/2020/1154/9.

You can read the origional press release on the Hungarian DPA website here.

For more information, please contact the Huganian DPA here: privacy@naih.hu

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
02 September 2020


Infringement of the principle of lawfulness of personal data processing and making intentionally available without a legal  basis on the GEOPORTAL2 (geoportal.gov.pl) of personal data in the form of land register numbers obtained from the land and property registers are the reason for imposing an administrative fine in the amount of PLN 100 000 on the Surveyor General of Poland (GGK).


Moreover, GGK must adapt the processing of personal data to the provisions of the GDPR by discontinuing making available on the GEOPORTAL2 portal (www.geoportal.gov.pl) of personal data in the scope of land register numbers obtained from the land and property registers (kept by the starostes).


The President of the UODO decided to carry out inspection activities at the Surveyor General of Poland at the beginning of March 2020. However, GGK prevented the possibility of examining the legality of publishing information on the land registers number on GEOPORTAL2. In the course of the inspection, it made available only documentation specifying the organisational measures applied to ensure the data security and the evidence proving the appointment of the Data Protection Officer. As a result, the President of the UODO imposed an administrative fine on GGK (https://uodo.gov.pl/en/553/1146). However, despite the refusal to carry out an inspection, GGK gave testimony which served as evidence in the present proceedings.


According to the testimony submitted, GGK publishes information obtained from land and property registers (including land register numbers) from 90 poviat starosties only on the basis of agreements concluded with them.


In accordance with Article 5(1)(a) of the GDPR, personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. The data is processed lawfully only in cases where at least one of the conditions indicated in Art. 6 GDPR is met.


In the course of the proceedings, GGK did not indicate a provision of law which would constitute the legal basis for its activity. Moreover, none of the legal provisions governing matters related to the activities of the Surveyor General of Polandallows it to make available data obtained from the starosties within the framework of GEOPORTAL2. In the opinion of the President of the UODO, the Surveyor General of Poland, aware of the lack of a clear legal basis for the processing of land registers numbers, concluded agreements with the starostes on the basis of which it obtained information from the land and property registers (including land registers numbers) kept by the starostes for the purpose of their publication on GEOPORTAL2. The supervisory authority considered that these agreements concerned the creation and maintenance of common elements of the technical infrastructure intended to store and make available certain data filing systems, but did not constitute a legal basis for making available the data, including land register numbers. Such a basis must result from commonly binding legal provisions.


Having regard to the above, the President of the UODO considered that personal data were made available in the form of land register numbers on GEOPORTAL2 without a legal basis. Such action results in infringement of Article 5(1)(a) and Article 6(1) of the GDPR. The doctrine of law represents the view that making personal data available from public fling systems in the absence of a clear legal basis relating to the operation of making personal data available is unlawful.


In this case, it is undeniable that the land register numbers processed on www.geoportal.gov.pl constitute personal data. According to the GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


The scope of data disclosed in the land register of natural persons includes, among others, names, surnames, parents’ names, PESEL number (personal identification number), property address. The publication of such data allows the identification of the person whose data is contained in the land register. By publishing land register numbers on Geoportal2, access to the information contained in them can be obtained by any interested Internet user. This type of situation may expose a very large number of people (data subjects) to theft of their identity.


When imposing a fine, the supervisory authority took into account not only the severity of the infringement, its nature and duration, but also the intentional character of the action.


To read the press release is Polish, click here.
To read the full decision in Polish, click here.
This press release can be seen as a follow up to an article previously posted here on the EDPB website.

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl​​​​​​​

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
02 September 2020


The President of the Personal Data Protection Office (UODO) imposed a penalty of a reprimand for the processing of students’ personal data without legal basis in connection with survey carried out by a school in the school year 2019/2020. The survey entitled “Diagnosis of student’s home and school situation” examined personal situation of students.


In connection with the survey, the school processed personal data of students, including minors, in particular names and surnames, attended class, indication of legal guardians (parents), family status (single parent, full family), information about death of a legal guardian (parent), separation of legal guardians (parents), their education and professional situation, the number of people in the household, financial situation, health condition and addictions of legal guardians (parents), housing situation and information on social benefits.


The processing of students’ personal data included collection, storage and destruction of those data.


In the course of the UODO’s inspection it was established that the survey was conducted to identify students who require psychological support from the school they attend. The survey was carried out by class teachers in classes 7-8 of elementary school and in high school classes. It was conducted in the form of in blanco paper forms on direct instruction from school principal.


All returned copies of the survey were destroyed by an official commission. According to the findings of the inspection, personal data included in the surveys were not entered into electronic telecommunication systems, were not recorded on electronic data carriers or other information carriers, including in paper form. After collecting the surveys, the teachers did not make any scans or paper copies of them, nor did they make other additional documents containing personal data concerning the surveys. As of the date of the inspection, students' personal data obtained in connection with the surveys were no longer processed.


According to the evidence obtained as a result of the inspection, the surveys were conducted in a way that excludes the possibility of unauthorized disclosure of the data contained in them.


By conducting a survey among students, the school has violated the principle of lawfulness of data processing, according to which personal data must be processed lawfully, fairly and in a transparent manner for the data subject. The above principle has been developed in the content of Article 6(1)(c) of the GDPR, according to which the processing is lawful only if - and to the extent to which - the condition that the processing is necessary for compliance with a legal obligation to which the controller is subject is fulfilled.


The school, as a public entity, may process personal data within the scope of its tasks imposed by law. In turn, according to the Educational Law, schools process personal data to the extent necessary for the performance of the tasks and obligations arising from these regulations. The legal acts regulating the functioning of educational institutions do not specify such tasks and obligations of schools that would justify the processing of students' personal data in the way it was done in the penalised entity, in connection with the conducted survey.


The President of the UODO considered that, in the established circumstances of this case, a reprimand was sufficient. The unintended nature of the infringement was considered to be an attenuating circumstance. The school principal immediately took a number of corrective measures, such as: destruction of the survey forms or refraining from carrying out the survey by some teachers, organisation of training for staff to raise their awareness of personal data protection issues, and analysis of the incident of conducting the survey among students, given the risk to the rights and freedoms of natural persons. Moreover, on the basis of the circumstances of the present case, there are no grounds to consider that the data subjects have suffered damage as a result of the event. The President of the UODO has not received any signals that similar behaviours resulting in violations have taken place on the part of the school.


To read the press release is Polish, click here.
To read the full decision in Polish, click here.

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
20 August 2020

The Belgian DPA imposed a fine of 20,000 EUR on telecom operator Proximus for several data protection infringements during the processing of personal data for the purpose of publishing public telephone directories.

The facts
A Belgian citizen (the plaintiff) had requested Proximus, the publisher of a public directory, to retract the publication of his personal data in Proximus’ public directory, as well as the publication of the personal data in the directory of other publishers. Proximus, as publisher of its own public directory, had confirmed towards the plaintiff it would no longer publish the personal data, and would also inform other publishers of a public directory to not publish the personal data of the plaintiff. However, a few months later, the plaintiff discovered his personal data had not only been published in the directory of Proximus, but also in the ones of other publishers of a public directory. In its communication towards the plaintiff, Proximus also mentioned it had transferred the personal data of the plaintiff to other publishers of a public directory. 

Background: lex specialis of the e-Privacy Directive
In Belgium, the consent for the publication in a public directory is given in accordance with the provisions of national telecommunications law. Those provisions are the national implementation of article 12 of the e-Privacy Directive. Although the e-Privacy Directive forms lex specialis vis-à-vis the GDPR (as lex generalis), as stated in article 95 GDPR,  the provisions with regard to consent of the GDPR remain applicable as preconditions for lawful processing with regard to the consent in article 12 e-Privacy Directive .

Decision of the Litigation Chamber 
The Litigation Chamber of the Belgian DPA upheld, among other things, that:
-    Proximus publishes its own public directory and must therefore be considered as a controller for several relevant processing activities. As such, it has a responsibility to align the withdrawing of the data subject’s consent with the actual processing activities. It is apparent that Proximus did not take the appropriate measures to ensure and be able to demonstrate that the personal data of the complainant was not unlawfully processed after the withdrawal of the consent. Thus, Proximus had not fulfilled its obligations (appropriately) as a controller, and therefore infringed article 6 GDPR read in conjunction with article 7 GDPR, as well as articles 24 and article 5.2 GDPR.
-    Proximus did not provide the data subject with transparent information during and after the handling of his request, nor did it appropriately facilitate the exercise of his data subject rights, and therefore infringed article 12 and article 13 GDPR. 
The Litigation Chamber decided not to pseudonymise the name of the defendant, as the publication of that identity was in the public interest. 
 

You can find the final decision in Dutch here.

For further information, please contact the Belgian DPA: contact@apd-gba.be 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
18 August 2020

The Spanish Data Protection Authority (AEPD) imposed a fine of 1.200 EUR on a company for calling the data subject, offering them a deal on hotels, while they were included in an advertisement exclusion system. By joining this system, the data subject exercised their right to object to processing for marketing purposes under Article 21 GDPR. However, the company did not comply with its obligation of consulting the advertisement exclusion system before making a telephone call with marketing purposes in order to avoid processing their personal data. 

The data subject received a call from the data controller’s number, stating that a friend of them had provided the company with their telephone number so that they offer them a hotel voucher, naming other friends of theirs and declaring that they had joined the promotion. 

The AEPD considered that this constitutes a breach of Article 48(1)(b) of the Spanish Law 9/2014 General Telecommunications.
 

You can read the text of the decision in Spanish here.

For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
18 August 2020

 

The Spanish Data Protection Authority (AEPD) imposed a fine of 75.000 EUR on VODAFONE ESPAÑA for processing the claimant’s telephone number for marketing purposes after they had exercised their right to erasure in 2015, in spite of what the data subject was sent advertising SMS. The controller stated that the claimant number, being easy to remember, had been used as a “dummy number” by its employees.

The AEPD considered that VODAFONE ESPAÑA violated Article 6(1) of the GDPR, by processing the claimant's personal data without any lawful basis.  
 

You can read the text of the decision in Spanish here.

For further information, please contact the Spanish DPA: prensa@aepd.es
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
18 August 2020

The Spanish Data Protection Authority (AEPD) imposed a fine of 70.000 EUR on XFERA MOVILES for disclosing a customer’s personal data to a third party.

The claimant was informed by another customer of Masmovil that, because of a company’s mistake, they had been charged with a claimant’s bill, and thus had access to their personal data (name, surname ID card number, and personal phone number).

The AEPD considered that this constitutes a breach of the principle of confidentiality, established in Article 5(1)(f) of the GDPR.

You can read the text of the decision here.

For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
18 August 2020

Final decision, administrative fine for Rælingen municipality 

The Norwegian Data Protection Authority has imposed an administrative fine of EUR 47,500 to Rælingen Municipality. The fine is imposed after data concerning health of children with special needs was processed using the digital learning platform Showbie. 
- The case started when we received a notification of a personal data breach from the municipality. Upon further investigation of the case, it appeared that the level of security of the application was not proportionate with the risk, says Director-General of the Norwegian Data Protection Authority, Bjørn Erik Thon. – This is obviously a significant issue, as it has to do with both children and personal data concerning health. 

Several infringements
The infringement affects 15 children with special needs. The application Showbie has been used to send health related personal data between the school and the homes of the children. 


The necessary risk and data protection impact assessments and testing have not been completed before the application was put to use. Lack of security measures when logging in to the application has made it possible to obtain information about other children in the group. 


After the breach notification, the municipality has pointed out that there is no indication that any of the children have actually been victim to material or non-material damage, but the Norwegian Data Protection Authority has not put emphasis on this in the consideration of the case. This is because we found that the infringement itself creates a risk, regardless of whether the risk actually manifests itself in a more concrete form of damage to the affected children or not. 
The Norwegian Data Protection Authority has chosen to reduce the fine after an overall assessment, made on the basis of an inquiry from Rælingen municipality. An assessment was also made in relation to previous practice under the old law. The case has not been appealed, and the fee of EUR 47,500 is final.

You can read the origional press release in Norwegian here.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

14 August 2020

In 2018, the Danish company PrivatBo assisted a housing fund with an intended sale of three properties. On that occasion, PrivatBo provided material for the properties in question, which was distributed to the occupants of the properties on a total of 424 USB keys. However, PrivatBo was not aware that some of the documents contained personal information of a confidential nature which should not have been disclosed.

The Danish Data Protection Agency assessed the case and found that PrivatBo has not complied with the requirements of Article 32 of the Data Protection Regulation to implement appropriate technical and organizational security measures. Based on the nature of the case, the Danish DPA has therefore chosen to report PrivatBo to the police for the unintentional disclosure of personal information and proposed a fine of DKK 150.000.

You can read the full press release in Danish below or on the Danish DPA website here.

For further information, please contact the Danish SA: dt@datatilsynet.dk

Datatilsynet indstiller PrivatBo til bøde


PrivatBo er blevet anmeldt til politiet, da Datatilsynet vurderer, at administrationsselskabet ikke har levet op til kravene om et passende sikkerhedsniveau i databeskyttelsesforordningen (GDPR).

I 2018 bistod PrivatBo – som administrationsselskab – en boligfond med et påtænkt salg af tre ejendomme. PrivatBo tilvejebragte i den anledning materiale til de omhandlede ejendomme, som blev uddelt til beboerne i de pågældende ejendomme på i alt 424 USB-nøgler. PrivatBo var imidlertid ikke opmærksom på, at der for en del af de udleverede lejekontrakter var knyttet dokumenter, som indeholdt personoplysninger af fortrolig karakter, og som ikke burde have været videregivet.

”I en sag som den pågældende er det vores vurdering, at PrivatBo som minimum burde have gennemgået tilbudsmaterialet, før det blev udleveret til andre. Vi hæfter os i den forbindelse særligt ved, at der var risiko for at videregive oplysninger af fortrolig karakter til bl.a. naboer, og at dette kunne indebære et betydeligt ubehag for de pågældende lejere, herunder for tab af omdømme,” siger Frederik Viksøe Siegumfeldt, kontorchef for tilsynsenheden i Datatilsynet, og tilføjer:

”Helt generelt er det sådan, at når man som virksomhed behandler folks personoplysninger, har man også et ansvar for at sikre, at de ikke kommer til uvedkommendes kendskab. I dette tilfælde mener vi ikke, PrivatBo har gjort nok for at undgå, at personoplysningerne blev videregivet.”

Datatilsynet har således vurderet, at PrivatBo ikke har levet op til kravene i databeskyttelsesforordningens artikel 32 om at gennemføre passende tekniske og organisatoriske sikkerhedsforanstaltninger. På baggrund af sagens karakter har tilsynet derfor valgt at politianmelde PrivatBo for den utilsigtede videregivelse af personoplysninger, der skete som led i udleveringen af de 424 USB-nøgler.

Datatilsynet har herudover fundet grundlag for at udtale alvorlig kritik af, at PrivatBo efterfølgende – i forbindelse med samme tilbudspligt – utilsigtet udleverede en oversigt over indestående deposita og forudbetalt leje, og i nogle tilfælde oplysninger om udlæg i deposita, fordelt på lejemålenes adresse til beboere i en anden ejendom end den, som var omfattet af den pågældende tilbudspligt. Den utilsigtede videregivelse af disse oplysninger skete til trods for, at PrivatBo havde antaget et eksternt revisionsselskab med henblik på at kvalitetssikre materialet.

 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
06 August 2020

The National Credit Register (BKR) in the Netherlands can no longer charge people who wish to access the personal data it holds on them. In addition, if data subjects wish to receive a copy of their data by post, the procedure must be simple, and they must be able to request a new copy after a reasonable period of time has passed. The BKR had created too many obstacles for people wishing to access their data. Under privacy legislation, this is not permitted. As a result, the Dutch Data Protection Authority (Dutch DPA) issued the BKR with a €830,000 fine. 

The Dutch DPA received complaints from data subjects about the difficulties involved in accessing the data the BKR held on them. The Dutch DPA considered these complaints significant enough to warrant an investigation.

Accessing credit registration data
In the words of Dutch DPA chairman Aleid Wolfsen, ‘It is vital that people are able to access their credit registration data. A poor credit score can affect a person’s ability to take out a loan or mortgage. So it is important for people to be able to quickly and easily check what data of theirs is being processed and if this is being done in the proper manner.’ 

The issue
In May 2018 the BKR began charging a fee to data subjects for requesting access to their data in a digital format. Furthermore, although data subjects could obtain a paper copy of their data for free, this was only possible once a year. This situation was an infringement of privacy legislation, and led to the BKR being fined €830,000.

Following the Dutch DPA’s investigation, the BKR has modified its processes. Since April 2019 data subjects have been able to access their data for free. In addition, in March 2019 the BKR changed the number of times a year data subjects can receive a paper copy of their data by post. 

What’s next?
The BKR has appealed the case in court, which means that the Dutch DPA’s decision about the fine is not yet final. 

The Dutch version of this press release is available here

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl​​​​​​​

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
29 July 2020

Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information imposes fine on AOK Baden-Wuerttemberg – 
Effective data protection requires regular monitoring and adjustment 

Due to an infringement of the obligations of secure data processing (article 32 of the European General Data Protection Regulation, GDPR), the Department of Fines of the Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information (LfDI) has issued a fine of 1,240,000 € against the AOK Baden- Wuerttemberg. At the same time, the Department of Fines, in constructive collabora-tion with the AOK, also paved the way for an improvement of the technical and organ-isational measures for the protection of personal data at the AOK Baden- Wuerttemberg. 

From 2015 to 2019, the AOK Baden-Wuerttemberg hosted raffles on different occa-sions. Within this context, the AOK collected the participants’ personal data, including contact details and health insurance affiliation. Inter alia, the AOK wished to use this data for advertisement purposes, provided that the participants had consented ac-cordingly. Through technical and organisational measures, which included internal guidelines and data protection trainings, among others, the AOK wanted to ensure that only data of raffle participants who had given their prior and valid consent would be used for advertisement purposes. These measures set by the AOK did not, how-ever, comply with legal requirements. The personal data of more than 500 raffle par-ticipants were therefore used for advertisement purposes without their consent. No insurance data was concerned. 

The AOK Baden-Wuerttemberg discontinued all sales activities immediately after the allegation became known, in order to thoroughly check all procedures. In addition, the AOK created a task force for data protection in sales and made adjustments which concerned, in particular, internal procedures and control structures, besides the dec-larations of consent. Further measures are to be taken in close coordination with the LfDI. 

Within the frame that article 83 (4) GDPR sets for fines, the comprehensive internal reviews and adjustments of the technical and organisational measures, as well as the constructive cooperation with the LfDI, spoke in the AOK’s favour. Thus, an increase in the protection level for personal data related to the AOK’s sales activities was achieved within a short amount of time. In the future, the AOK will continue and, if necessary, adjust, these improvements and additional control mechanisms, in ac-cordance with the specifications and recommendations set by the Baden-Wuerttemberg State Commissioner of Data Protection and Freedom of Information. 

When assessing the fine, the Commissioner considered factors such as the size and the relevance of the AOK Baden-Wuerttemberg. He also paid special consideration to the AOK being a statutory health insurance and thus an important part of our health system, as the AOK has the statutory obligation to preserve, restore or improve the health of the insured persons. The GDPR requires fines to not only be effective and dissuasive, but also proportionate. Determining the amount of the fine, the Commis-sioner therefore had to ensure that the fulfilment of this statutory obligation would not be endangered. To this end, particular attention was paid to the challenges the AOK currently faces due to the Corona pandemic. 

“Data security is an ongoing task”, the Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information, Dr. Stefan Brink, stresses. “Technical and organisational measures need to be adjusted to the actual conditions on a regular basis, so as to ensure an appropriate level of protection in the long term.” In this con-text, great importance is regularly attached to ensuring conditions of data protection compliance, as well as to the good cooperation of controllers with the LfDI. Brink con-cludes, “Our aim is not to issue fines which are as high as possible, but rather to reach a data protection level which is as good and appropriate as possible.” 

If you have any questions you can reach call the number +49 (0)711 615541-23. For further information about data protection and freedom of information on the web please visit www.baden-wuerttemberg.datenschutz.de or www.datenschutz.de


The German version of this press release is available at www.baden-wuerttemberg.datenschutz.de.
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
27 July 2020

Within the framework of the Italian SA’s enforcement activities regarding telephone operators, Wind Tre SpA was fined about EUR 17 million on July 9th on account of several instances of unlawful data processing that were mostly related to marketing. The Italian SA had already issued a prohibitory injunction against the company, on account of similar infringements that had occurred when the previous data protection law was in force. 


The fine was imposed following complex investigations and inspections. Complaints were received from users against unsolicited marketing communications made without their consent via texting, emails, faxes, and automated phone calls. In several cases, the complainants had declared they had not been enabled to exercise their right to withdraw consent or object to the processing of their data for marketing purposes, partly on account of the inaccurate contact information provided in the information notices. In yet other cases, users’ personal data had been included in public phone listings despite the (at times reiterated) objections made by those users. 


The investigation showed that the MyWind and My3 apps had been configured in such a way as to require the user to consent, on each access, to processing for various purposes including marketing, profiling, communication of data to third parties, data enrichment and geolocation; withdrawal of such consent was allowed after 24 hours. 


Beyond these overarching flaws, the investigations by the Italian SA shed light on multifarious infringements affecting Wind Tre’s business partners. On account of those infringements, one such business partner was fined EUR 200,000 by the Italian SA and was banned from using the data its agents had collected and processed in the national territory without any consideration for data protection rules. This business partner had subcontracted – without relying on any legal instrument – whole sets of processing activities to call centres, which collected data in breach of the law.


The pleadings submitted by Wind Tre and the corrective measures implemented by the company, as also related to the centralised approach applying to marketing campaigns, were found inadequate by the Italian SA, which accordingly fined Wind Tre EUR 16,729,600 and prohibited any further processing of the data they had acquired without consent. The Italian SA also ordered the company to take technical and organisational measures to ensure effective oversight of their business partners, along with implementing procedures to respect users’ indications to be left alone. 


During its 9 July meeting, the Italian SA also assessed the findings of the investigations regarding another phone operator, i.e. Iliad; in that case, shortcomings were detected under different respects, in particular concerning employees’ access to traffic data. Accordingly, the company was fined EUR 800,000. 


Rome, 13 July 2020

You can find a link to the press release on the Italian DPA's offical webiste here.

For further information, please contact the Italian SA: ufficiostampa@gpdp.it

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
20 July 2020

The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 5 000 on an individual entrepreneur running a non-public nursery and pre-school. 


Entrepreneur running a nursery and pre-school failed to provide the President of the UODO with access to personal data and other information necessary for the performance of its tasks - in this case for assessment whether the controller communicated a data breach to the data subject in accordance with the GDPR (Article 58(1)(e) of the GDPR). 


The controller notified to the President of the UODO a personal data breach, which consisted in losing access to personal data stored in the run private nursery and pre-school.


Given the lack of information necessary to carry out an assessment of the notification, the supervisory authority sent three requests to the entrepreneur to submit relevant explanations. Two of them weren’t collected on time, one was collected personally by the fined entity itself. The entrepreneur failed to respond to the requests of the President of the UODO. 


The obligation of an entrepreneur, that is an entity conducting professional business activity on the market, is to collect correspondence connected with the conducted activity. Course of action of the entrepreneur is incomprehensible, considering the fact that it notified a personal data breach to the President of the UODO and therefore should be expecting the DPA’s standpoint in this case.   


It is worth emphasizing that the activity conducted by the fined entity included the processing of personal data relating to children, who require special protection, since they can be less aware of the risk and consequences related to data processing.


When issuing the decision on imposing an administrative fine and determining its amount, the President of the UODO took into account as aggravating circumstances, among others, the severity of the breach and its duration, the intentional nature of the breach and the lack of cooperation of the controller with the supervisory authority. In view of the President of the UODO the imposed fine is proportional to the severity of the established breach and the possibility of paying the fine by the entrepreneurs without big detriment to the conducted activity. 


The fine imposed by the President of the Personal Data Protection Office is intended to discipline the entrepreneur in terms of proper cooperation with the President of the UODO, both in further course of the proceedings in the case of data breach notification, and in other possible future proceedings with participation of this entrepreneur conducted by the President of the UODO. It is a clear signal to all entities that disregarding their obligation to cooperate, on request, with the supervisory authority, especially by hindering access to information necessary for the performance of its tasks, is a serious infringement and as such is subject to fines. 


To read the press release is Polish, click here.
To read the full decision in Polish, click here.

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl​​​​​​​

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
20 July 2020


The President of the Personal Data Protection Office (UODO), after having conducted an administrative proceeding instituted ex officio in the case of imposition of an administrative fine, imposed a fine in the amount of PLN 100 000 on the Surveyor General of Poland (Główny Geodeta Kraju, GGK).


The President of the Personal Data Protection established that the Surveyor General of Poland violated the provisions of the General  Data Protection Regulation (GDPR), where the breach consisted in failure to provide the supervisory authority during the conducted inspection with access to premises, data processing equipment and means, and access to personal data and information necessary for the President of the Office for the performance of its tasks. Furthermore, GGK did not cooperate with the President of the UODO during that inspection.


The President of the UODO is tasked with monitoring and enforcing the application of the GDPR. Within the scope of its competences, it conducts inter alia proceedings on the application of the provisions of the GDPR. For the performance of its tasks, the supervisory authority shall have a number of specific powers, including the right to obtain from the controller and the processor access to all personal data and to all information necessary for it, or the right to obtain access to any premises of the controller and the processor, including to any data processing equipment and means.


Moreover, the controller and the processor are obliged to cooperate with the supervisory authority in the performance of its tasks, as provided for in Article 31 of the GDPR.


An infringement of the provisions of the General Data Protection Regulation, consisting in failure to provide access to data and information by the controller or processor, shall result in a breach of the powers of the supervisory authority referred to in Article 58(1) of the  GDPR. Therefore, the President of the UODO considered it reasonable to impose an administrative fine.


Let us remind you that at the beginning of March 2020, the President of the Personal Data Protection Office decided on the necessity to perform an inspection of the processing by the Surveyor General of Poland on the portal GEOPORTAL2 of personal data from the poviat land and property registers, about which it informed GGK in the letter indicating the scope and the date of the inspection. In order to perform the inspection activities, the inspectors authorised by the President of the UODO presented their official identity cards and submitted personal authorisations containing information on the scope of the inspection to GGK. The Surveyor General of Poland did not allow for performing full inspection activities resulting from the submitted authorisations. Giving the reasoning for its position, GGK indicated that, according to its assessment, it was apparent from the scope of the inspection indicated in the authorisations that the inspection was to cover the numbers of land and property registers which, in its opinion, do not constitute personal data within the meaning of the provisions of the Geodetic (Surveying) and Cartographic Law.


Finally, GGK signed the authorisations entering a written note on them stating that it refused to carry out the inspection aimed at establishing inter alia: the grounds for the processing (including disclosing on GEOPORTAL2) of personal data, the sources of such data, the scope and type of disclosed personal data, and the method and purpose of that disclosure. Furthermore, the note allows to conclude that the Surveyor General of Poland consented to the performance of the inspection activities in the scope of determining whether appropriate technical and organisational measures have been implemented to ensure an adequate level of security of the data being subject to protection, and whether GGK has appointed a Data Protection Officer. Unfortunately, due to the lack of access by the inspectors to the IT systems used by GGK and the necessary inspections of the IT system during the inspection it has not been established whether GGK has implemented appropriate technical measures to ensure data security. In view of the above, in the course of the inspection it was only established what organisational measures GGK used for data security and whether a Data Protection Officer was appointed.


An inspection protocol has been drawn up from the inspection activities carried out, which has been signed by the Surveyor General of Poland.


Due to the categorical lack of consent of GGK to carry out full inspection activities and the unambiguously expressed lack of will to cooperate, the inspectors could not determine how and on what legal ground - when providing information from the land and property registers via the GEOPORTAL2 online portal (geoportal.gov.pl) - it enable access to personal data contained in land and property registers and whether GGK has implemented appropriate technical measures to ensure data security. During the inspection, it was not possible to investigate what was the main subject of the inspection, because all operations could not be carried out. In this respect, the inspection was thwarted by the Surveyor General of Poland.


In addition, there is a separate proceedings pending before the President of the UODO in the case of a breach consisting in the processing of personal data in the form of the numbers of land and property registers on GEOPORTAL2 online portal without a legal basis.


To read the information on hindering the inspection by GGK and on issuing the decision by the President of the UODO in Polish, click here


To read the press release is Polish, click here.
To read the full decision in Polish, click here.

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl​​​​​​​

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
16 July 2020

The Belgian DPA just imposed a €600.000 fine on Google Belgium for not respecting the right to be forgotten of a Belgian citizen, and for lack of transparency in its request form to delist.

A Belgian citizen had requested the removal of links containing negative information about him. The request was refused by Google.

The Litigation Chamber of the Belgian DPA found that some of those links were needed for public interest and should not be removed: the citizen plays indeed a role in public life and the links concerned a presumed relation with a political party. The other links contained information that was outdated, unsubstantiated and could seriously damage the reputation of the citizen. The Belgian DPA considers that those links should have therefore been delisted by Google. For the Belgian DPA it is important to note that the facts of the case were clear, leaving Google no reasonable room to decide otherwise.   

What’s more, Google lacked transparency in their delisting form, as well as in their response to the data subject.

For these reasons, the Belgian DPA decided to impose a fine of €600.000. This is the highest fine ever imposed by the Belgian DPA.

The Belgian DPA considers to be competent in this case, including because Google argued that their main establishment in Europe (Google Ireland) was not responsible for delisting activities. The decision contains a detailed explanation of the responsibilities of the various establishments of Google.    

The decision (currently only in French) is available here.

For further information, please contact the Belgian DPA: contact@apd-gba.be 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

 

10 July 2020

The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 15 000 on East Power company from Jelenia Góra for failing to provide the supervisory authority with access to personal data and other information necessary for the performance of its tasks.

The fined company provides employment services in Poland and Germany, and a complaint against its actions was lodged by a German citizen because it processed his personal data for marketing purposes. The complaint was lodged with the German data protection authority competent for Rhineland-Palatinate, but it was taken over for consideration by the President of the UODO, who was the so-called lead authority in this case, because the company is established in Poland.

Within the framework of this proceeding, the President of the UODO sent three requests to the company to submit explanations. Two of them (correctly served and received by the company) remained unanswered. The company replied to one of the requests, but its explanations were incomplete and contradictory. In the opinion of the President of the UODO, they were manifestly insufficient to establish the facts of the case. Due to such conduct of the company, the President of the Personal Data Protection Office considered that it intentionally impedes the course of proceedings or at least ignores its obligations related to cooperation with the supervisory authority. The President of the UODO therefore considered it necessary to initiate a separate proceedings for the imposition of an administrative fine on it.

It was only in response to the notice of initiation of the proceedings that the company provided more extensive explanations, but they were incomplete and required further investigation. Therefore, the President of the Personal Data Protection Office considered that the company does not want to cooperate with it and does not fulfil the obligation – provided for in the GDPR – to provide it with access to personal data and other information necessary for the performance of its tasks, in this case for handling a complaint lodged by a German citizen.

When issuing the decision to impose an administrative fine on East Power Sp. z o.o. and determining its amount, the President of the UODO took into account as aggravating circumstances, among others, the seriousness of the breach (undermining the proper functioning of the personal data protection system specified by the GDPR), the intentional nature of the breach and the unsatisfactory degree of cooperation of the controller with the President of UODO in order to remedy the breach and mitigate its consequences.

Sanctions imposed by the President of the Personal Data Protection Office in the form of administrative fines are intended to discipline controllers and processors. Their disregard for their obligations related to cooperation with the President of the UODO leads to prolonging the proceedings conducted by it. In this way, it is difficult to exercise the rights of persons whose personal data are being violated.

The above situation occurs in the case of the fined company. By its actions, it makes it impossible to handle the complaint of a German citizen and to issue a decision by the President of the UODO determining the case relating to the complaint lodged.

To read the press release is Polish, click here

To read the full decision in Polish, click here

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl

 

 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

 

26 June 2020

The Belgian Data Protection Authority has imposed a fine of 1,000 EUR on an association that, on the basis of its legitimate interest (Article 6.1, f) GDPR), sent direct marketing messages to (former) donors for its fundraising. The administrative fine was imposed following a complaint lodged with the Belgian Data Protection Authority by a former donor of the association as the latter had not complied with the request for data erasure addressed by the data subject to the data controller pursuant to Article 17.1 GDPR and its right to object pursuant to Article 21.2 GDPR.

The Litigation Chamber decided that the data controller thereby infringed Articles 6.1, 17.1, c) and d), 21.3 and 21.4 GDPR.

First of all, the Litigation Chamber found that the data controller did not comply with the data erasure request and the data subject's right to object. Secondly, the Litigation Chamber held that the association could not validly invoke its legitimate interest as a ground for the processing in the present case since it did not meet the cumulative conditions imposed by the case law of the Court of Justice of the European Union - and in particular the Rigas judgment - in this respect. According to this case law, in order to invoke Article 6.1, f) GDPR, the controller must demonstrate that i) the interests pursued by the processing, can be recognized as legitimate ("purpose test"), ; ii) the intended processing is necessary for the purposes of the intended processing ("necessity test") and iii) the balancing of these interests against the fundamental rights and freedoms of the persons concerned by the data protection weighs to the favour of the controller or of a third party ("balancing test"). In the present case, the Litigation Chamber decided that the third condition of article 6.1, f) GDPR and the case law of the Court of Justice was not fulfilled.

More specifically, the Litigation Chamber found that there were doubts as to whether the data subject could reasonably expect his data to be processed for direct marketing purposes years after the collection of these data (recital 47 GDPR). Moreover, the Litigation Chamber found that the data controller had not sufficiently facilitated the right of objection.

This decision implements the 2020-2025 Strategic Plan of the Belgian Data Protection Authority, of which 'direct marketing' is one of the priority strategic points. The Litigation Chamber also refers to Recommendation No 01/2020 of the Belgian DPA in this respect.

To read the full decision in Dutch, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
22 June 2020

The Norwegian Data Protection Authority has notified the Norwegian Institute of Public Health (NIPH) of its intention to impose a temporary ban on the processing of personal data in connection with the Smittestopp contact tracing mobile application. NIPH has nowtemporarily suspended all use of the app.
 
On Monday 15 June, NIPH announced that they have decided to suspend the app and erase all data until further notice, but that they will provide a formal response by 23 June, which is the date set by the Data Protection Authority. The notice entails a temporary ban on all collection of personal data by NIPH through the app.

Intervention no longer proportionate


“NIPH has chosen to suspend all collection and storage of data immediately. I hope they use the time left until 23 June well, both to document the benefits of the app and to make other necessary changes, so that they can resume use of it,” says Data Protection Authority Director-General Bjørn Erik Thon.
The basis for the notice is the Data Protection Authority’s assessment that the Smittestopp app can no longer be considered a proportionate intervention in the users’ fundamental rights to data protection.


“Smittestopp is a highly invasive measure in terms of data protection, even in these special circumstances, where our society is fighting a pandemic. We do not see the utility, given our current situation and the way the technical solution is designed and presently working,” Thon says.


Legality hinges on public benefit


Smittestopp is a digital solution for contact tracing. It can notify the user if they have been in close contact with people infected with Covid-19. By analysing anonymized and aggregated data of population movement patterns, NIPH will also evaluate infection control measures and monitor rates of transmission through society. Smittestopp collects large quantities of personal data about app users, including continuous location data and information about app users’ contact with others.


“Our notice does not mean that we can’t use technology and apps to fight this pandemic. However, the legality of Smittestopp hinges on its public benefit,” Thon says. “We have considered the solutions chosen for the Smittestopp app, the low proliferation of the app, with users accounting for approximately 14 percent of the population aged 16 and older, and the rates of infection in the general population. We have also taken into account the National Institute of Public Health’s release stating that the rate of infection is currently so low that it is difficult to validate that the app’s alerts are notifying the right people — not too many and not too few.”

Location data from GPS and Bluetooth


Currently, Smittestopp users cannot choose to provide personal data for contact tracing purposes without also agreeing to the data being used for analysis and research. These different purposes require different types of personal data. We question the lack of choice for the users. Several other European countries have developed contact tracing apps that rely solely on Bluetooth technology and that do not collect GPS-based location data. The World Health Organization (WHO) has also posted several publications related to digital proximity tracking for Covid-19 (example link).


“The European Data Protection Board has concluded that the use of location data in contact tracing is unnecessary and recommend the use of Bluetooth data only. We do not find that NIPH has sufficiently justified the need to use location data for contact tracing and await new information from NIPH on this issue,” Thon says.
Smittestopp currently only has contact tracing functionality in combination with notification in three test municipalities: Drammen, Trondheim and Tromsø.
“Also, no solution for anonymizing and aggregating data for analysis has yet been implemented.The app nevertheless continually collects personal data from all users,” Thon says.


Going forward


The Data Protection Authority has invited the National Institute of Public Health to a meeting on Friday 19 June to further discuss this matter. NIPH has until 23 June to provide a response to the order.


“There are many different things we need to discuss. The design of the request for approval and the use of GPS in contact tracing are central issues, but we also need to discuss the anonymization solution, which is not yet in place. A solution for how to handle requests for access will also be a topic for discussion. We need to see some specific changes on these important issues,” Thon says.

To read the press release in Norwegian, click here

 

Update: 17/08/20

The Norwegian Data Protection Authority has imposed a temporary ban on Smittestopp contact tracing mobile application. 


The Norwegian Data Protection Authority has reached a decision to temporarily ban the processing of personal data using the Smittestopp contact tracing mobile application. As previously notified, we mean that Smittestopp cannot be considered a proportionate intervention in the user’s fundamental right to data protection. 
The purposes of Smittestopp are contact tracing and notification of Covid-19 infection, as well as analysis of anonymous and aggregated data to evaluate the effect of infection control measures, and monitoring of the spread of infection in society. The app has collected large amounts of personal data about the people using it, including continuous registration of movements and information about the users’ contact with others.   
Still several weaknesses 


The Norwegian Data Protection Authority finds that the Norwegian Institute of Public Health (NIPH) has not documented the benefit of the app. We have looked at the technical solutions chosen for Smittestopp, the low level of adoption of the app (approx. 14% of the population aged 16 or above), and the spread of the infection in the population. We also find that the NIPH has not sufficiently established the necessity of using location data from GPS in contact tracing, which we find is in conflict with the principle of data minimization. 


Furthermore, the Norwegian Data Protection Authority has been critical of the fact that users have not had the option to choose to share personal data for just one or several of the purposes. In June, The Norwegian Parliament reached the decision that the purposes have to be separated in the next version of the app. 


The NIPH has already decided to stop the collection of personal data, and to erase the collected data. The Norwegian Data Protection Authority will continue to control any new versions of the app. 
 

 

For further information, please contact the Norwegian DPA: international@datatilsynet.no

 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
19 June 2020

The Belgian DPA has imposed a fine of 10 000 EUR on a controller for sending a direct marketing message to the wrong person and for not responding adequately to the data subject’s subsequent request for access to his data. The marketing message was sent to the plaintiff, instead of to another person who had the same name, but another email address. This incorrect processing is due to a human error. As a result, the plaintiff exercised his right of access, which did not run smoothly. The Belgian DPA established that the controller did not sufficiently answer to the request of the plaintiff (Article 15 GDPR), did not respond within the deadline set by the GDPR (Article 12.3 GDPR) and was not sufficiently transparent (Article 12.1 GDPR). For these reasons, the Belgian DPA considers that the exercise of the rights of the plaintiff were not sufficiently facilitated, as required by article 12.2 of the GDPR.

To read the full decision in French, click here

For further information, please contact the Belgian DPA contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
19 June 2020

The Swedish Data Protection Authority (DPA) has investigated a co-operative housing association’s use of video surveillance on its property. The DPA concludes that the association has gone too far when using video surveillance in the main entrance and the stairwell and when recording audio.

The Swedish DPA has received complaints claiming that a co-operative housing association monitors the stairwell in the association’s apartment building. The DPA has now finished an audit of the association.

The Swedish Data Protection Authority’s investigation shows that the association has four surveillance cameras installed. Two are located in the stairwell, one in the main entrance and one is directed towards a distribution box in the association’s storage room. All cameras record video and audio non-stop 24 hrs 7 days a week.

For the two cameras set up in the stairwell, the Swedish Data Protection Authority notes that these allow the association to map the habits, visits and social circle of the residents. “Already the fact that the surveillance is of the residents and their home environment means that it requires very strong reasons for the monitoring to be allowed,” writes the authority in its decision.

– Under special circumstances, a co-operative housing association may monitor a stairwell. However, in order for such surveillance to be allowed, the association must be able to demonstrate a pressing need for such video surveillance and that has not been the case here, says Nils Henckel, legal advisor at the Swedish DPA.

The third camera is set up at the main entrance and the association states that it is to combat problems with vandalism, which it had experienced during two months in 2018. The Swedish DPA stresses the obligation to continuously review whether a need for video surveillance is justified and concludes that no such need was still present to date.

As for the fourth camera, which is directed towards the distribution box, the DPA concludes that it must be re-directed so that it does not monitor the residents’ storage facilities.

Furthermore, the Swedish Data Protection Authority notes that audio recording constitutes an additional intrusion into the private sphere, in particular when recorded in a residential building, and that there are no circumstances that motivates such intrusion in this case.

The Swedish DPA also concludes that the association has failed to properly inform the residents about the video surveillance. That includes the lack of information about the data controller, where to turn to for further detailed information and that audio is recorded, which is a particularly severe omission.

The Swedish Data Protection Authority orders the co-operative housing association to stop the video surveillance of the stairwell and entrance, to cease audio recording for the surveillance camera by the distribution box and to improve the information provided concerning the video surveillance. The Swedish Data Protection Authority furthermore issues an administrative fine of 20 000 Swedish kronor (approximately 2 000 euro) against the association. When calculating the amount of the fine, consideration was taken to the fact that it was a smaller co-operative housing association.

To read the press release in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
16 June 2020

The Belgian DPA has imposed a fine of 1000 euro on a controller for not responding to a request from a citizen to object to the processing of his data for marketing purposes (article 15.3 GDPR), and for not collaborating with the authority (article 31 GDPR).

In a previous decision, the Belgian DPA had ordered the controller to meet the request of the plaintiff and to notify the Belgian DPA of the action taken on the request. The controller did not react to this injunction. When the controller, at a later stage, was asked why they did not comply with the injunction of the Belgian DPA, the controller demonstrated a cavalier attitude and a complete lack of interest for both the application of the GDPR and the procedure. For this attitude, as well as the established infringement of the right to object, the Belgian DPA decided to eventually impose a 1000 euro fine.

To read the full decision in French, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
10 June 2020

The Litigation Chamber of the Belgian Data Protection Authority imposed a fine of 5.000 EUR on a candidate in local elections for using the staff registry of a municipality to send election propaganda (in the form of a letter) to staff members. The Belgian municipality in question filed the complaint against the candidate.

The Litigation Chamber established the following elements:
-    A legal person (in this case the municipality) is entitled to file a complaint with the DPA.
-    Contrary to what was said by the defendant, the communication didn’t amount to normal communication between a municipal councilor, which the defendant was at the time, and municipal staff. The content of the letter sent shows that it was indeed election propaganda.
-    A violation of article 5, 1., b (purpose limitation) occurred, considering that the staff register is not meant to be used for other purposes than the internal management of the municipality
-    The Litigation Chamber could find no legal basis for a lawful processing of data from the staff register and therefore also concluded in a violation of articles 5, 1., a) and 6, 1 (lawfulness of processing).
The imposition of a fine of 5.000 EUR was done on the basis of previous similar decisions by the Litigation Chamber of the BE DPA, where it had found that further processing of data gathered for municipal purposes with the intent of using them for political propaganda violated the principles of lawful processing and of purpose limitation.
The Litigation Chamber also considers that the defendant’s other positions in public service should have led him to a greater respect for rules on electoral campaigning, which include data protection rules.

To read the full decision in French, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
09 June 2020

Sanction procedure opened for not responding to the request for information made in order to investigate the facts identified in a complaint. The complainant requested the exclusion of his data from a debts file -Asnef - by an alleged debt to the energy supply company -Iberdrola-.
 
The complaint was transferred to Iberdrola and it was required to forward to the AEPD the information and documents requested in the letter. After receiving no response, the complaint was accepted.
 
Investigations were then carried out and the entity was again required to report on the facts denounced. This new request was also not answered. In a nutshell, Iberdrola had not provided the information required and consequently hindered the investigative powers that each supervisory authority has, infringing Article 58.1 of the GDPR.
 
This infringement is typified in Article 83.5(e) of the GDPR and is classified for prescription purposes as very serious. It has also been taken into account that Iberdrola is a large undertaking, not newly created and therefore should have established procedures for the fulfilment of the obligations under the data protection regulations, including provide any information required by the supervisory authority. For this reason, it was sanctioned with 5,000 euros, reduced to 4,000 euros as it benefited from voluntary payment reduction according to the Spanish Procedure Law.

To read the full decision in Spanish, click here

For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
04 June 2020

The Office of the Data Protection Ombudsman’s sanctions board imposed an administrative fine on Taksi Helsinki Oy for violations of data protection legislation on 26 May. The company had not assessed the risks and effects of personal data processing before adopting a camera surveillance system that records audio and video in its taxis. Deficiencies were also noted in the information provided to customers and the documentation of personal data processing.

The Office of the Data Protection Ombudsman started an investigation on Taksi Helsinki’s personal data processing in November 2019. Serious deficiencies were found in the company’s processing of personal data.

The impact of the processing had not been assessed in accordance with data protection legislation.

Taksi Helsinki replaced its camera surveillance system with one that records both video and audio in the summer of 2019. However, the company did not assess the compliance of the related personal data processing with the GDPR.

The Deputy Data Protection Ombudsman ordered the company to conduct a balance test to evaluate, for example the necessity of personal data processing and its impact on the interests and rights of the data subjects.

Taksi Helsinki also failed to conduct the impact assessments required by the GDPR before the start of processing. Data protection impact assessments would have been required for security camera surveillance, location data processing and automated decision-making and profiling connected to the company’s loyalty scheme. The Deputy Data Protection Ombudsman ordered the company to carry out the required impact assessments.

No basis given for processing audio data

Taksi Helsinki reported that it processed the personal data of drivers, staff and the customers of its drivers with a camera surveillance system that records both video and audio. However, the company did not provide an explanation for why it only processed audio data from some of its taxis. The company later stated that the audio data had been processed by mistake.

The Deputy Data Protection Ombudsman found that the processing of audio data was not in line with the GDPR’s principle of data minimisation. She ordered Taksi Helsinki to ensure that the processing of audio data without appropriate grounds is stopped immediately.

Problems with basic data protection issues

The Deputy Data Protection Ombudsman’s investigation also revealed that Taksi Helsinki did not inform data subjects of the processing of their personal data in the manner required by data protection legislation. The notifications in the taxis did not say anything about audio recording or indicate from where customers could obtain information on it.

Neither did the company’s privacy statement contain information on the automated decision-making and profiling performed in its loyalty scheme. The Deputy Data Protection Ombudsman ordered the company to change its policies for informing customers to provide clear information on its processing of personal data. The information must also be easily accessible.

Deficiencies related to documentation and the definition of personal data processing roles were also discovered in the investigation. The Deputy Data Protection Ombudsman ordered Taksi Helsinki to rectify its procedures.

Administrative fine imposed

Several serious shortcomings in the identification of risks, compliance with data protection principles and implementation of the rights of data subjects were identified in Taksi Helsinki’s processing of personal data.

The Office of the Data Protection Ombudsman’s sanctions board imposed an administrative fine of EUR 72,000 on Taksi Helsinki. This amount was proportionate, effective and cautionary in the assessment of the board.  

The decisions of the Deputy Data Protection Ombudsman and sanctions board are not yet final and are open to appeal in the administrative court.

To read the full decisions in Finnish, click here.

For further information, please contact the Finnish DPA: tietosuoja(at)om.fi

The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and his two Deputy Data Protection Ombudsmen and has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
27 May 2020

The Office of the Data Protection Ombudsman’s sanctions board imposed administrative fines on three companies for violations of data protection legislation on 18 May. These violations concerned giving insufficient information on data protection rights, neglecting to conduct a data protection impact assessment and the unnecessary collection of personal data.

Deficiencies in information provided in connection with change-of-address notifications

The individuals who filed a complaint with the Data Protection Ombudsman had received communications and direct marketing from various companies after making change-of-address notifications to Posti Oy, which is the leading postal service operator in Finland. The investigation carried out by the Office of the Data Protection Ombudsman revealed that Posti had not informed the data subjects of their rights, including the right to object the disclosure of data, in connection with making change-of-address notifications.

The company should have informed its customers clearly about their right to object to the processing of their personal data. Posti had submitted such notifications only to customers who bought additional services in addition to making the change-of-address notification.
Posti had notified the Data Protection Ombudsman that it would look into possibilities for improving the transparency of personal data processing already in 2017. The company finally improved its practices for informing customers in 2020, after the Office of the Data Protection Ombudsman had contacted Posti again. The violations affected 161,000 customers in 2019 alone.

The sanctions board imposed an administrative fine of EUR 100,000 on Posti Oy.

The data protection impact assessment on the processing of employee location data had been neglected

The second decision concerned a complaint made to the Data Protection Ombudsman about how Kymen Vesi Oy processed the location data of its employees by tracking vehicles with a vehicle information system. The controller had not made the impact assessment required by the GDPR before starting to process the location data. The location data was used for monitoring working hours, among other things.

A data protection impact assessment is required if the processing is likely to result in a high risk to the rights and freedoms of data subjects. The assessment is necessary for example if the location data of vulnerable individuals is processed or the location data is used for systematic monitoring. The decision of situations in which a data protection impact assessment of the processing of location data is required can be found on the Data Protection Ombudsman’s website.
The sanctions board imposed an administrative fine of EUR 16,000 on Kymen Vesi Oy.

Job applicants’ personal data was collected unnecessarily

In the third case, the Data Protection Ombudsman had been notified about a company collecting unnecessary personal data from job applicants and employees. According to the Finnish Act on the Protection of Privacy in Working Life, the employer is only permitted to process data that is necessary in light of the employment relationship. Deficiencies were also discovered in the controller’s documentation related to compliance with the GDPR.

The company had asked for information on matters such as religious beliefs, state of health, possible pregnancy and family status of the data subjects.
The Data Protection Ombudsman ordered the company to delete the unnecessary data and issued a reprimand on the deficiencies in documentation. The sanctions board also imposed an administrative fine of EUR 12,500 on the company.

The decisions are not final since those can be appealed in the administrative court. The Office of the Data Protection Ombudsman publishes the name of the organisation on which the administrative fine was imposed if the matter is considered to be of public significance or the organisation could be confused with another.

Sanctions must be proportionate, efficient and cautionary

This was the first time that the sanctions board imposed administrative fines for violations of data protection regulations. The board has the right to impose administrative fines for data protection violations. The maximum amount of the administrative fine is 4 % of the company’s turnover or EUR 20 million.
The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, with the Data Protection Ombudsman serving as chairman. The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act.

To read the full decisions in Finnish, click here

For further information, please contact the Finnish DPA: reijo.aarnio(at)om.fi

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
15 May 2020

The Danish Data Protection Authority considers that in a case on the right of access, the Danish recruitment company JobTeam has not met the basic requirements of the General Data Protection Regulation (GDPR) that personal data must be processed lawfully, fairly and transparently.

JobTeam has been reported to the police and a fine of DKK 50.000 has been proposed. The company had erased personal data subject to the access request of a data subject during the period after the request was submitted and prior to the company's reply. The Data Protection Authority became aware of the case on the basis of a complaint.

Good data processing

‘Where a controller deletes information on the individual directly linked to the failure to meet an access request, the controller unlawfully denies the possibility of a review of the right of access by the data by the Data Protection Authority and the Courts. This is a violation of the citizen’s fundamental rights and is not an example of good data processing,” says Astrid Mavrogenis, Head of Unit in the Danish Data Protection Authority.

Fine proposal

The Data Protection Agency has decided to report JobTeam to the police and recommended that the company should pay a fine.

It is the view of the Danish Data Protection Agency that a breach of the fundamental principles of the regulation concerning processing security for an company in a case such as the one in question cannot, in principle, be penalised by a fine lower than DKK 50.000, if the basic requirement of effective and dissuasive penalties laid down by the regulation must be complied with at the same time. At the same time, when setting the amount of the fine, the Authority emphasises that the fine must be proportionate.

In most European countries, national data protection authorities can issue administrative fines themselves, but the rules are different in, inter alia, Denmark.

After having clarified and assessed the case, the Data Protection Authority (DPA) reports the data controller to the police. The police then considers whether there are grounds for bringing a charge, and finally any financial penalty will be decided by a court.

To read the press release in Danish, click here

For further information, please contact the Danish SA: dt@datatilsynet.dk

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
13 May 2020

The Swedish Data Protection Authority’s investigation shows that the Healthcare Committee in Region Örebro County made a mistake when publishing on the region’s website sensitive personal data about a patient admitted to a forensic psychiatric clinic.

The Swedish Data Protection Authority received a complaint against the Healthcare Committee in Region Örebro County, in which claims that sensitive personal data about a patient admitted to forensic psychiatry clinic had been published on the region’s website was put forward.

– Our investigation into the matter shows that sensitive personal data has wrongfully been published and thereby made accessible to the public on the region’s website”, says Elin Hallström, Legal Advisor at the Swedish Data Protection Authority.

The Swedish Data Protection Authority’s audit shows that there are no written instructions relating to the publication of documents and personal data on the website in place. Instructions for publishing information are instead communicated orally. In this case, the instructions had not been followed which led to the accidental publication of the document, suggesting that the Committee had not taken sufficient organizational measures to ensure that personal data is protected from being wrongfully published on the region’s website.

– For this reason, we are now ordering the Committee to establish written instructions and introduce measures that ensure that those who publishes personal data on the region’s website does so in accordance with set instructions.

In its decision, the Swedish Data Protection Authority also concludes that in terms of publication the Committee had neither a legitimate purpose, nor a legal basis, nor fulfilled the requirements for an exemption from the general prohibition against handling sensitive personal data in the General Data Protection Regulation.

The Swedish Data Protection Authority orders the Committee to bring its personal data handling into compliance and furthermore issues an administrative fine of 120 000 Swedish kronor (approx. 11 000 euro) against the Committee.

The published document in question has been removed from the region’s website.

To read the press release in Swedish, click here

To read the full decision in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se   

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
30 April 2020

The Swedish Data Protection Authority imposes an administrative fine of 200,000 Swedish kronor (approximately 18,700 euro) on the National Government Service Centre for failing to notify affected parties as well as the Data Protection Authority about a personal data breach in due time.

The Data Protection Authority (DPA) initiated an investigation against the National Government Service Centre (NGSC) upon having received a number of personal data breach notifications concerning an error in the IT system for salary administration. The error entailed the possibility of unauthorised access to personal data of both personnel of authorities using the system and of the personnel of the NGSC.

- Our investigation shows that it has taken too long for the NGSC to inform the concerned parties about the error and furthermore that the NGSC has failed to report the personal data breach to the DPA in due time. The documentation of the breach, as required under the GDPR, was also found incomplete with regards to the NGSC’s personnel and their data, says Elin Hallström, legal advisor, who has been leading the DPA’s audit.

The DPA noted that it took almost five months for the NGSC to notify the concerned parties and close to three months before the DPA received a data breach notification.

- When a data breach of this kind is discovered by a processor such as the NGSC in this case, it is important to inform the controllers as soon as possible so that they can report the breach to the DPA and take further actions to mitigate any related risks. The NGSC has failed to act in time.

In its decision the DPA orders the NGSC to introduce internal routines for the documentation of personal data breaches and to verify that those routines are abided by. Together with this order the DPA imposes an administrative fine on the NGSC of in total 200,000 Swedish kronor.

The National Government Service Centre coordinates the administration of government agencies by offering administrative support services to other government agencies. It offers basic services in the areas of salary administration, financial administration and eCommerce.

To read the press release in Swedish, click here
To read the full decision in Swedish, click here
For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se   

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
03 April 2020

The President of the Personal Data Protection Office imposed a fine of PLN 20 000 on Vis Consulting Sp. z o.o. in liquidation with the seat in Katowice, a company from telemarketing industry, for making it impossible to conduct inspection. Additionally, the company’s owner is subject to criminal liability for this.

The President of the Personal Data Protection Office (UODO) decided to conduct inspection activities at the penalised company, in connection with the findings made in the course of another inspection performed at the company conducting telemarketing activities. It was established that the company has a cooperation contract with regard to outsourcing of telemarketing services with Vis Consulting Sp. z o.o. Therefore, the supervisory authority found it necessary to conduct inspection activities at the entity which actually operated the telephone calls and processed the data.

Unfortunately, the UODO’s inspectors, after prior notification on the planned inspection, did not find anyone at the address indicated in the National Court Register (KRS). On the spot, there was only a company which leased office space to Vis Consulting Sp. z o.o. (so called virtual office).  

The inspectors managed, however, to contact Vis Consulting by telephone, and its proxy informed that the inspection would not take place.   
Therefore, the President of the UODO concluded that the company in no way wished to cooperate with the personal data protection authority. On two consecutive days of the planned inspection activities, the company made it impossible to carry out the inspection twice. Furthermore, on the date on which the inspectors attempted to conduct inspection at Vis Consulting Sp. z o.o., its authorities decided to liquidate that entity.

In the opinion of the President of the Office, this company does not comply with the obligations relating to the processing of personal data and, at least intentionally, avoids to be subject of inspection by the supervisory authority. Thus the company infringed the provisions of Article 31 of the GDPR with regard to Article 58(1)(e) and (f) of the GDPR referring to cooperation with the supervisory authority and enabling it access to all personal data and any information.
Hence, the President of the UODO concluded that the conditions for imposing a fine on the company were satisfied. In determining the amount of the fine, the supervisory authority did not identify any attenuating circumstances affecting the amount of the fine.

In connection with suspicion of commission of an offence under Article 108 (1) of the Act on the Protection of Personal Data by the President of the Company, the supervisory authority notified the District Public Prosecutor’s Office in Katowice thereof. According to that provision, the prevention or hindering of conducting inspection of compliance with the personal data protection provisions shall be subject to a fine, restriction of personal liberty or imprisonment for up to two years. The Public Prosecutor’s Office has already lodged an indictment against the President of the Company to the court.

To read the press release is Polish, click here

To read the full decision in Polish, click here

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this news release should be directed to the supervisory authority concerned.
11 March 2020

The Swedish Data Protection Authority imposes a fine of 75 million Swedish kronor (approximately 7 million euro) on Google for failure to comply with the GDPR. Google as a search engine operator has not fulfilled its obligations in respect of the right to request delisting.

In 2017 the Swedish Data Protection Authority (DPA) finalised an audit concerning how Google handles individuals’ right to have search result listings for searches that includes their name removed from Google’s search engine in case of for example lack of accuracy, relevance or if considered superfluous. In its decision the DPA concluded that a number of search result listings should be removed and subsequently ordered Google to do so.

In 2018, due to indications that Google had not fully complied with the previously issued order, the DPA initiated a follow-up audit. This audit is now finalised and the DPA is issuing a fine against Google.

– The General Data Protection Regulation, GDPR, increases the level of responsibility for organisations that collect and process personal data, and strengthens the rights of individuals. An important part of those rights is the possibility for individuals to have their search result delisted. We have found that Google is not fully complying with its obligations in relation to this data protection right, says Lena Lindgren Schelin, Director General at the Swedish DPA.

The Swedish Data Protection Authority is critical to the fact that Google did not properly remove two of the search result listings that the DPA had ordered them to remove back in 2017. In one of the cases Google has done a too narrow interpretation of what web addresses needed to be removed from the search result listing. In the second case Google has failed to remove the search result listing without undue delay.

When Google removes a search result listing, it notifies the website to which the link is directed in a way that gives the site-owner knowledge of which webpage link was removed and who was behind the delisting request. This allows the site-owner to re-publish the webpage in question on another web address that will then be displayed in a Google search. This in practice puts the right to delisting out of effect.

– In its delisting request form Google states that the site-owner will be notified of the request in a way that might result in individuals refraining from exercising their right to request delisting, thereby undermining the effectiveness of this right, says Olle Pettersson, legal advisor at the Swedish DPA who has participated in this audit of Google.

Google does not have a legal basis for informing site-owners when search result listings are removed and furthermore gives individuals misleading information by the statement in the request form. That is why the DPA orders Google to cease and desist from this practice.

Facts about the right to have search result listings removed
In May 2014 the Court of Justice of the EU ruled that an individual may request a search engine provider such as Google to remove a search result listing that contains the name of an individual in case the listing is incorrect, irrelevant or superfluous. This right was strengthened with the GDPR entering into force 25th May 2018. The right is however not absolute, you cannot demand that all search results are to be removed. Individuals who wish to exercise their right to request delisting should contact the search engine provider directly.
What happens next?
Google may appeal the decision of the Swedish DPA within three weeks. If Google decides not to appeal, the decision will enter into force by the end of that time period. Once the decision has entered into force it will be handed over to the Legal, Financial and Administrative Services Agency (Kammarkollegiet) that handles the administration of fines under the GDPR.

Note to editors:

The personal data processing in question is part of the processing operations carried out by Google as a search engine operator. For this part of Google’s activity it is Google LLC (parent company of the Google group) established in the United States that decides the purpose and means of the processing. Since there is no main establishment within the EU for this part of Google’s operations, each Supervisory Authority in the EU is competent for investigating possible infringements of the GDPR within their territory.

To read the press release in Swedish, click here

To read the full decision in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se  

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
10 March 2020

On 5 March 2020, the Icelandic Supervisory Authority (SA) took the decision to impose an administrative fine of ISK 3.000.000 (EUR 20.643) on the National Center of Addiction Medicine in a case relating to a personal data breach.

The National Center of Addiction Medicine is an NGO that operates a detoxification clinic and four inpatient and outpatient rehabilitation centers, as well as a center for family services and a social center in Iceland. Its services are delivered by a staff of medical doctors, psychologists, registered nurses, nurse practitioners and licensed counselors.

The breach occurred when a former employee of the National Center of Addiction Medicine received boxes containing what were supposed to be personal belongings that he had left there. However, it turned out that the boxes contained patient data as well, including health records of 252 former patients and records containing the names of approximately 3.000 people who had attended rehabilitation for alcohol and substance abuse.

After carrying out an investigation of the data breach, the SA concluded that the breach was a result of a lack of implementation of appropriate data protection policies and appropriate technical and organisational measures to protect the data by the controller. The lack of appropriate measures to protect the personal data therefore constituted violations of, inter alia, Art. 5(1)f and Art. 32 of the GDPR.

When determining the fine, the SA referred to the nature of the personal data involved in the breach, which were data concerning health, and the large scope of the processing. The SA also cited the nature of the National Center of Addiction Medicine as a non-profit health care provider and the fact that the Center had made considerable efforts to improve handling of personal data, beginning before the breach came to light.

The full decision in Icelandic is available here

For further information, please contact the Icelandic SA: postur@dpa.is

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
10 March 2020

On 5 March 2020, the Icelandic SA took the decision to impose an administrative fine of ISK 1.300.000 (EUR 8.945) on the Breiðholt Upper Secondary School in a case relating to a personal data breach.

The breach occurred when a teacher at the school sent an e-mail to his students and their parents/guardians, 57 people in total. Attached to the e-mail was a document that the teacher believed to contain information on consultation appointments. However, the attachment concerned a different group of students, 18 in total, and contained data on their well-being, study performance, and social conditions. To a considerable extent, the information concerned the students' problems. In one instance, the data had to do with an intervention by child protection services. Furthermore, there were data on one student's physical illness, and on another student's mental health problem.

After carrying out an investigation of the data breach, the SA concluded that the breach was a result of a lack of implementation of appropriate data protection policies and appropriate technical and organisational measures to protect the data by the controller. The lack of appropriate measures to protect the personal data therefore constituted violations of, inter alia, Art. 5(1)f and Art. 32 of the GDPR.

When determining the fine, the SA referred to the nature of the personal information involved in the breach, which were data concerning health and other personal issues. The SA also cited the nature of the Breiðholt Upper Secondary School as a nonprofit institution.

The full decision in Icelandic is available here

For further information, please contact the Icelandic SA: postur@dpa.is

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
10 March 2020

The Danish Data Protection Agency has reported the municipality of Gladsaxe and the Municipality of Hørsholm to the police, as it finds that the municipalities have not met the requirements of an adequate level of security under the General Data Protection Regulation (GDPR).

For the municipalities of Gladsaxe and Hørsholm Municipality fines of DKK 100.000 and DKK 50.000 have been proposed respectively.

The Data Protection Agency became aware of the cases when both municipalities notified the agency of personal data breaches relating to the theft of computers containing personal data.

Neither computers were protected by encryption, and the loss of personal data by the municipalities therefore posed an undue risk to its citizens.

In one of the cases, the lack of security resulted in a serious personal data breach, as a computer containing personal data of 20.620 citizens, including information of a sensitive nature and personal data, was stolen from Gladsaxe City Hall.

The second security breach took place when the computer of an employee from the municipality of Hørsholm was stolen from his car. On the computer, there was information on about 1.600 employees in the municipality of Hørsholm, including information of a sensitive nature and personal data.

The specific security breaches express some of the possible consequences of the insufficient level of security which poses a high risk to all citizens of whom the municipality processes data.

Municipalities have a great deal of responsibility
“A municipality processes very large amounts of personal data concerning the municipality’s citizens, including information of a sensitive nature. As a citizen, it is not possible to opt out of the municipality’s processing of information about oneself, and the municipality therefore has a high responsibility to avoid the information being disclosed, "said Frederik Viksøe Siegumfeldt, Head of Unit of the Supervisory Unit in the Danish Data Protection Agency. He explains:

“It is simple to access the files stored on the computer when a computer’s hard drive is not encrypted, for example by moving the hard drive to another computer. Therefore, when personal data are stored locally on the computer, it is very imprudent that the municipalities' computers were not encrypted.”

Proposal of fines
The Danish Data Protection Agency has decided to report the Municipality of Gladsaxe and the Municipality of Hørsholm to the police and proposes that the two municipalities be fined DKK 100.000 and DKK 50.000 respectively.

To read the press release in Danish, click here

For further information, please contact the Danish DPA: dt@datatilsynet.dk

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
05 March 2020

The President of the Personal Data Protection Office imposed a fine of PLN 20 000 in connection with the breach consisting in the processing of biometric data of children when using the school canteen.

The school processed special categories of data (biometric data) of 680 children without a legal basis, whereas in fact it could use other forms of students identification.

For that breach, an administrative fine was imposed on Primary School No. 2 in Gdansk. In addition, the President of the Personal Data Protection Office (UODO) has ordered the erasure of the personal data processed in the form of digital information on the specific fingerprints of the children and the cessation of any further collection of personal data.

Following an ex officio administrative proceedings, the President of the UODO has established that the school is using a biometric reader at the entrance to the school canteen that identifies the children in order to verify the payment of the meal fee.

The proceedings has shown that the school obtains the data and processes them on the basis of the written consent of the parents or legal guardians. The solution has been in place since 1 April 2015. In the school year 2019/2020, 680 pupils use a biometric reader and four pupils - an alternative identification system.

In this case, it is important to stress that the processing of biometric data is not essential for achieving the goal of identifying a child’s entitlement to receive lunch. The school may carry out the identification by other means that do not interfere so much in the child’s privacy. Moreover, the school makes it possible to use the services of the school canteen not only by means of fingerprints verification, but also electronic cards, or by giving the name and contract number. Thus, in the school, there are alternative forms of identification of the child’s entitlement to receive lunch.

In the fined Primary School No. 2, in accordance with the lunch rules, available on the website of the school’s canteen, students who do not have biometric identification have to wait at the end of the queue until all the students with biometric identification enter the canteen. Once all the students with biometric identification have entered the canteen, the students without biometric identification are allowed to enter, one by one. In the opinion of the President of the UODO, such rules introduce unequal treatment of students and their unjustified differentiation, as they clearly favour students with biometric identification. Moreover, in the authority’s view, the use of biometric data, considering the purpose for which they are processed, is significantly disproportionate.

The President of the UODO, in the grounds of his decision, emphasised that children require special protection of personal data. Moreover, in the present case, the processed data constitute the data of special categories. The biometric system identifies characteristics which are not subject to change, as in the case of dactyloscopic data. Due to the unique and permanent character of biometric data, which means that they cannot change over time, the biometric data should be used with due care. Biometric data are unique in the light of fundamental rights and freedoms and therefore require special protection. Their possible leakage may result in a high risk to the rights and freedoms of natural persons.

To read the press release in Polish, click here

The Polish text of the decision is available here

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
03 March 2020

The Dutch DPA imposed a fine of EUR 525,000 on tennis association KNLTB for selling the personal data of its Members. In 2018, KNLTB unlawfully provided personal data of a few thousand of its members to two sponsors.


Boete voor tennisbond vanwege verkoop van persoonsgegevens

De Autoriteit Persoonsgegevens (AP) legt tennisbond KNLTB een boete op van 525.000 euro voor het verkopen van persoonsgegevens. De KNLTB heeft in 2018 onrechtmatig tegen betaling persoonsgegevens van een paar honderdduizend van zijn leden verstrekt aan twee sponsoren.

De Koninklijke Nederlandse Lawn Tennisbond (KNLTB) verstrekte de sponsoren persoonsgegevens zoals naam, geslacht en adres, zodat zij een selectie van KNLTB-leden konden benaderen met tennisgerelateerde en andere aanbiedingen. De ene sponsor ontving persoonsgegevens van 50.000, de andere van meer dan 300.000 leden. Die sponsors benaderden een deel van die KNLTB-leden per post of telefoon.

Verkoop van persoonsgegevens

Voor elke verwerking van persoonsgegevens moet de organisatie die ze verwerkt zich kunnen beroepen op één van de zes grondslagen uit de AVG. Bijvoorbeeld dat degene om wie het gaat toestemming heeft gegeven voor die verwerking. Verkoop van persoonsgegevens zonder toestemming van de persoon achter de gegevens is doorgaans verboden. De KNLTB vond dat hij een gerechtvaardigd belang had bij verkoop van de gegevens. De AP is het daarmee niet eens en heeft geoordeeld dat KNLTB geen grondslag had om die persoonsgegevens door te geven aan de sponsoren.

Klacht KNLTB over AP
Tijdens het onderzoek naar de KNLTB diende de tennisbond een klacht in tegen de AP, die de AP gegrond verklaarde. Die klacht ging over het optreden van AP-voorzitter Aleid Wolfsen in Nieuwsuur, op 17 december 2018. Daarin gaf Wolfsen aan dat de AP ‘een sportbond’ onderzocht. De AP heeft in reactie op deze klacht erkend dat zij in die uitzending de indruk heeft gewekt dat de handelwijze van KNLTB niet correct was, terwijl het onderzoek daarnaar nog liep. De KNLTB zag in die uitlatingen de schijn van vooringenomenheid en dat betreurt de AP. Op aanbeveling van de Nationale Ombudsman laat de AP hierbij weten dat de uitlatingen van Wolfsen ten onrechte vooruitliepen op de uitkomsten van het onderzoek.

Bezwaar KNLTB
De KNLTB heeft bezwaar gemaakt tegen het boetebesluit. De AP zal dit gaan beoordelen.

To read the full decision, click here

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
01 February 2020

The Italian SA (Garante per la protezione dei dati personali) fined TIM SpA EUR 27,802,496 on account of several instances of unlawful processing for marketing purposes. The infringements concerned on the whole millions of individuals.

From January 2017 to the beginning of 2019, the SA received hundreds of complaints regarding, in particular, unsolicited marketing calls that had been performed without any consent or in spite of the called parties’ inclusion in the public opt-out register; in yet other cases, the called parties had clearly denied their consent to receiving marketing calls. Allegedly unfair processing practices were also mentioned in the complaints with regard to prize competitions and the relevant forms as submitted by TIM to users.
Complex investigations were carried out also with the support provided by a specialised unit of the Italian Financial Police and brought to light a number of severe infringements of personal data protection legislation.
TIM were proven to be insufficiently familiar with fundamental features of the processing activities they performed (accountability).
In many cases out of the millions of marketing calls that had been placed in a six-month period with ‘non-customers’, the SA could establish that the call centre operators relied upon by TIM had contacted the data subjects in the absence of whatever consent. In one case, a person was contacted 155 times in one month. In about two hundred thousand cases, ‘off-list’ numbers – that is, numbers not included in TIM’s list of marketing numbers – had been called. Other types of illicit conduct were also found such as TIM’s failure to supervise the activities of some call centres or to properly manage and update their blacklists (listing individuals who do not wish to receive marketing calls), and the fact that consent to marketing activities was mandatory in order to join the ‘Tim Party’ incentive discount scheme.
Inaccurate, unclear data processing information was provided in connection with certain apps targeted to customers and the arrangements for obtaining the required consent were inadequate. In a few cases paper forms were to be filled in where a single consent statement was available in respect of different purposes including marketing.
The data breach management system proved ineffective as well and no adequate implementation and management systems were in place regarding personal data processing, which fell short of privacy by design requirements. TIM’s blacklists were found not to match those of the contractor call centres, and this also applied to the recordings of the ‘verbal orders’ - that is, the contracts stipulated on the phone. The numbers relating to other phone operators’ customers, which TIM held in their capacity as network provider, were stored for longer than permitted by the law and had been used for marketing campaigns without the customers’ consent.
As well as the fine, the Italian SA imposed 20 corrective measures on TIM including both prohibitions and injunctions. In particular, the SA banned TIM from using, for marketing purposes, the data of the users that had denied their consent to marketing calls when contacted by call centres, of the users included in the black lists, and of the ‘non-customers’ that had not given their consent.
The company is not permitted to use any longer the customer data that were collected via the ‘MyTim’, ‘TimPersonal’ and ‘TimSmartKid’ apps for purposes other than the provision of the relevant services without the users’ free, specific consent.

The injunctions issued by the Italian SA include the obligation for TIM to check consistency of their blacklists and to timely acquire those put together by call centres so as to update their own blacklists. TIM will have to reconsider the ‘TimParty’ scheme and enable customers to access discount schemes and prize competitions without having to consent to marketing activities. TIM will also have to check the app activation procedures; always specify, in clear and understandable language, the processing activities they perform along with the purposes and the relevant processing mechanisms; and obtain valid consent. TIM will have to implement technical and organisational measures in respect of data subject rights requests and enhance the measures to ensure quality, accuracy and timely updates of the personal data that are processed in their individual systems.
The measures and implementing arrangements imposed will have to be in place and notified to the Italian SA according to a specific timeline, whilst the fine will have to be paid within thirty days.

For further information, please contact the Italian SA: ufficiostampa@gpdp.it

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
27 January 2020

The Commissioner for Personal Data Protection (Cypriot SA) fined LGS Handling Ltd, Louis Travel Ltd and Louis Aviation Ltd (Louis Group of Companies) for a total amount of EUR 82,000.00, concerning the lack of legal basis of “Bradford Factor” tool, which was used to score sick leaves of employees.

The Commissioner launched an investigation after a complaint was lodged by the employees’ trade union.

The reasoning behind Bradford's Factor automated system for scoring employees' sick leave was that short, frequent, and unplanned absences lead to a higher disorganising of the company rather than longer absences.

The date and the frequency of a sick leave relating to an individual, insofar as his or her identity is directly or indirectly disclosed, entail the processing of "special categories of personal data", as defined under Article 9(1) of the GDPR. Providing personal data to an automated system, scoring the data using 'Bradford Factor', and profiling individuals based on the results, is considered as processing of personal data; therefore such a processing operation needs to be in line with the principles defined in the GDPR.

The controller carried out an impact assessment of the processing operation, and it was submitted to the Commissioner for consultation during the investigation. The Commissioner was of the opinion that the controller failed to demonstrate through the impact assessment that its legitimate interest prevailed over the interests, rights and freedoms of its employees and consequently the mitigation of the risks was inadequate.

In the course of the investigation, we made use of the possibility to raise legal questions to the other EEA SAs via the so called Mutual assistance procedure and received input from 25 authorities. The replies received validated the absence of legal basis of the said processing and highlighted the necessity to regulate such issues with specific rules in line with article 88 of the GDPR.

After assessing all the elements gathered for the purpose of the investigation, the Commissioner decided that such processing operation had no legal basis. Primarily, it had not been established that the legitimate interest of the controller overrides the interests, rights and freedoms of its employees, which would enable the controller to rely on article 6(1)(f) of the GDPR. Likewise, none of the provisions of Article 9(2) of the GDPR would apply in this case, enabling the controller to process health data of employees.

The controller, as the employer, was entitled to supervise the frequency of sick leaves and the validity of sick leaves certificates. However, such a perquisite should not lead to mishandling and should be applied within the limits set by the relevant legislative framework.

Having established such unlawful conduct, the Commissioner ordered the controller to interrupt the processing and delete all data collected. Moreover, a fine of €70.000 was imposed to LGS Handling Ltd, a fine of €10.000 was imposed to Louis Travel Ltd and a fine of €2.000 was imposed to Louis Aviation Ltd, in relation to the infringements of articles 6(1) and 9 of the GDPR.

When deciding on the amount of the administrative fines, due regard was given to the number of data subjects (818 employees in total), the nature and duration of the infringements and the relevant turnover of the companies.

The full decision in Greek is available here

For further information, please contact the Cypriot SA: commissioner@dataprotection.gov.cy

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
17 January 2020

The Italian Supervisory Authority imposed two fines on Eni Gas and Luce (Egl), totalling EUR 11,5 million, concerning respectively illicit processing of personal data in the context of promotional activities and the activation of unsolicited contracts. The fines were determined in the light of the parameters set out in the EU Regulation, including the wide range of stakeholders involved, the pervasiveness of the conduct, the duration of the infringement, and the economic conditions of Egl.

The first fine of EUR 8,5 million relates to unlawful processing in connection with telemarketing and teleselling activities as found during inspections and inquiries that were carried out by the Authority following several dozens of alerts and complaints received in the immediate aftermath of the full application of the GDPR.  
The verifications revealed a limited number of cases, which however pointed to ‘systematic’ conduct  by Egl and highlighted serious criticalities with regard to the general processing of data.

The violations brought to light include advertising calls made without the consent of the contacted person or despite that person’s refusal to receive promotional calls, or without triggering the specific procedures for verifying the public opt-out register; the absence of technical and organisational measures to take account of the indications provided by users; longer than permitted data retention periods; and the acquisition of the data on prospective customers from entities (list providers) that had not obtained any consent for the disclosure of such data.

Having declared the conduct detected as unlawful, the Italian SA ordered Egl to put in place procedures and systems in order to verify, also by examining a large sample of customers, the consent of the persons included in the contact lists prior to the start of promotional campaigns. Egl will also have to ensure full automation of data flows from its database to the company’s own black list, i.e., the list of those who do not wish to receive advertising.  

The Italian SA further prohibited the company from using the data made available by the list providers  if the latter had not obtained specific consent for the communication of such data to Egl.

The second fine of EUR 3 million concerns breaches due to the conclusion of unsolicited contracts for the supply of electricity and gas under ‘free market’ conditions. Many individuals complained to the Authority that they learned about the conclusion of a new contract only on receiving the letter of termination of the contract with the previous supplier or else the first Egl bills. In some cases, the complaints reported incorrect  data in the contracts and forged signatures.

About 7200 consumers were affected by the above serious irregularities. The Authority’s findings showed that the conduct of Egl in acquiring new customers through certain external agencies operating on its behalf led, in organisational and managerial terms, to processing activities in breach of the EU Regulation  as they violated the principles of data fairness, accuracy and up-to-dateness.

Having established such unlawful conduct, the Italian SA ordered Egl to take several corrective measures and to introduce specific alerts in order to detect various procedural anomalies.  

Implementation of the above measures will have to take place and be communicated to the Authority within a set timeframe, while the fines will have to be paid within 30 days.

To read the press release in Italian, click here

For further information, please contact the Italian SA: garante@garanteprivacy.it

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
14 January 2020

The Ηellenic DPA in response to a complaint conducted an investigation regarding the lawfulness of personal data processing on a server of ‘ALLSEAS MARINE S.A.’, as well as the lawfulness of access to and inspection of deleted emails of a senior manager for whom there was suspicion that he had committed unlawful acts against the company’s interests.

The Authority found that the company as a controller had complied with the requirements of the GDPR and that its internal policies and regulations provided for a ban on the use of the company’s electronic communications and networks for private purposes, and for the possibility of carrying out internal inspections. The company therefore had a legal right under Articles 5(1) and 6(1)(f) of the GDPR to carry out an internal investigation searching and retreating employee’s emails.

The DPA, on the other hand, found that the closed-circuit video-surveillance system had been installed and operated illegally and, in addition, the recorded material submitted to the Authority was considered to be illegal.

Finally, the Authority found that the company did not satisfy the employee’s right of access to his personal data contained in his corporate PC.

Following the finding that the GDPR had been infringed, the Authority decided in this particular case to exercise its corrective powers under Article 58(2) of the GDPR by means of corrective measures, and decided to:

i) order the company to comply immediately with the complainant’s request to exercise his right to access and information concerning his personal data stored in the company’s computer that the complainant used, and inform the Authority thereof;
ii) ensure within one (1) month of receipt of the decision that the processing operations which take place by means of its video surveillance system comply with the provisions of the GDPR, and inform the Authority thereof, and, in particular:

(a) restore the application of the provisions of Article 5(1)(a) and (2) of the GDPR in accordance with the grounds of the judgement;
(b) also restore the application of the other provisions of subparagraphs (b) to (f) of Article 5(1) of the GDPR in so far as the infringement found affects the internal organisation and compliance with the provisions of the GDPR by taking all necessary measures under the principle of accountability;
iii) impose on the company an effective, proportionate and dissuasive administrative fine, as appropriate in the case of illegal installation and operation of a closed-circuit video-surveillance system, in accordance with the specific circumstances of this case, amounting to fifteen thousand euros (EUR 15,000.00).

Decision 43/2019 is available in Greek on www.dpa.gr  “Decisions”

For further information, please contact the Hellenic DPA: contact@dpa.gr

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.