Comité Européen de la Protection des Données

Actualités nationales

Sur cette page, vous trouverez des actualités sur l’application du RGPD par les autorités de contrôle nationales. La publication sur cette page des communiqués de presse ne vaut ni communication officielle ni approbation de la part du comité européen de la protection des données. Ils sont publiés à titre strictement informatif et sont représentés ici, tels qu’ils apparaissent sur le site web ou d’autres moyens de communication de l’autorité de contrôle. Par conséquent, ces articles ne sont disponibles qu’en anglais ou dans la langue officielle de l’État membre, avec une brève introduction. Il convient d’adresser toute question relative à ces communiqués de presse à l’autorité de contrôle concernée. Une liste de toutes les autorités de contrôle est disponible ici.

2019

20 March 2019

A decision by the Italian Garante issued on 20 December 2018 set out the conditions for the Italian Revenue Agency to start processing activities under the new e-invoicing legislation that came into force on 1 January 2019 – whereby e-invoices will have to be issued for all payment transactions between suppliers of goods and services as well as between suppliers and consumers of those goods and services.

The December 20 Decision followed a previous decision by the Garante of 16 November 2018 where several criticalities had been highlighted in terms of data protection compatibility of the implementing mechanisms envisaged by the Agency. The November decision had led the Garante actually to issuing its first-ever ‘warning’, by relying on the new powers set out in Article 58 of the EU GDPR. The warning was addressed to the Revenue Agency to point out the ‘major criticalities related to the systematic, generalised, detailed processing of personal data on a large scale’ envisaged by the Agency, which was requested by the Garante to clarify how they planned to bring the relevant processing operations into line with the Italian and European legal framework.

An ad-hoc working party was set up by the Agency with the Garante and the Ministry of economics and finance to tackle and do away with those criticalities, involving additional stakeholders such as the National Council of Chartered Accountants and Accounting Experts, the National Council of Occupational Consultants, and the Association of Producers of Management and Accounting Software (AssoSoftware).

The working party dealt with the shortcomings pointed out by the Garante in its November decision, which were  multifarious in nature. Indeed, the Revenue Agency had planned to store and make available, on its web portal, all e-invoicing files in full (about 2.1 billion in 2017), but those files include detailed information on the purchased goods and services that is per se irrelevant for taxation purposes. On the other hand, that information can disclose consumption patterns in the most diverse areas  ranging from utilities and telecoms to transportation (highway tolls, flight tickets, hotel bookings) up to legal and health care services (where the e-invoice includes references to criminal or other proceedings or the medical diagnosis performed on a given patient undergoing treatment). This was found to be disproportionate compared to the public interest purpose the new legislation was intended to achieve.

The revised e-invoicing system envisages storage by the Agency of only the data required for the automated checks the Agency is called upon to perform for taxation purposes – e.g., in terms of consistency between e-invoicing data and the information held by the Agency on a given taxpayer; no information describing the purchased goods or services will be stored. Additionally, no e-invoices will have to be issued for health care services or goods. Storage of and access to the full contents of e-invoices will only be possible (after the initial implementing period) on the taxpayer’s specific request and based on agreements for which the Garante’s green light will be necessary.

Two additional major criticalities had been detected by the Garante, who had warned the Agency of the need to remedy them prior to the final roll-out of the system. One had to do with the role played by the intermediaries taxpayers may rely on for transmitting, receiving and storing their e-invoices; since those intermediaries may  happen to provide their services to several companies and entities at the same time, there is an increased risk of data leaks or misuse due to cross-referencing and combination of huge amounts of information. Secondly, there were several IT security risks in the system, starting from the lack of data encryption mechanisms especially for the e-invoices transmitted via ‘certified’ emailing systems, which the Garante had urged the Agency to address.

Those additional criticalities were remedied in part by the working group and the Garante called upon the Agency in December to make further efforts in that direction. In particular, the Agency will have to carry out an additional data protection impact assessment exercise by the 15th of April this year, pursuant to Article 35 of the GDPR. The Garante had already emphasized that the Agency should have taken care to carry out a DPIA prior to submitting the e-invoicing project to the Garante’s scrutiny, in line with the requirements for a data protection by design approach that is set forth in the GDPR; indeed, the Garante had pointed out that such a requirement was already envisaged in the pre-GDPR legislation under the ‘prior checking’ umbrella.

For Further information, please contact the Italian SA directly: garante@garanteprivacy.it

20 February 2019

The Commissioner has today issued his decision to the Lands Authority after concluding the investigation of the data breach, that was brought to his attention by the Times of Malta on 23rd November 2018.  The findings of the investigation established that the online application platform available on the Authority’s portal lacked the necessary technical and organisational measures to ensure the security of processing.  The Lands Authority was found to have infringed the provisions of Article 32 of the General Data Protection Regulation (GDPR) and, in terms of Article 21 of the Data Protection Act (CAP. 586), was served with an administrative fine of €5,000. The level of the fine was reached after the Commissioner took into account the circumstances set out under Article 83.2 of the GDPR.

The temporary ban imposed on the Authority’s portal has been lifted.

The Lands Authority offered their full and unrestricted collaboration to the Commissioner during the course of the entire investigation.    

You can read the original press release here

For further information, please contact the Maltese Supervisory Authority: idpc.info@idpc.org.mt

12 February 2019

Summary
The Austrian Data Protection Authority has finalised its investigation into the Austrian Post (Österreichische Post AG) and issued a decision stating the Austrian Post has violated several provisions of the GDPR.

Specifically, the Austrian DPA is of the opinion that the Austrian Post processes special categories of personal data (political opinions) by attributing preferences for certain political parties to data subjects by using statistical calculation methods. In the absence of explicit consent given by the data subjects concerned and in the absence of any other legal basis for processing these data the Austrian DPA found this to be contradictory to the GDPR.

Furthermore, the Austrian DPA found that the DPIA for this kind of processing and the record of processing activities were erroneous.

Consequently, the Austrian DPA imposed an immediate ban on these processing operations, ordered the erasure of the data and ordered the Austrian Post to carry out a new DPIA and to rectify its record of processing.

The decision is not final and will be challenged before the Federal Administrative Court.

Datenschutzbehörde beendet Prüfverfahren gegen Post und stellt Rechtsverletzungen fest

Wien (OTS) - Die Datenschutzbehörde hat die Berichte, wonach die Österreichische Post Aktiengesellschaft (Post) Daten zur Parteiaffinität verarbeite, zum Anlass genommen, ein amtswegiges Prüfverfahren einzuleiten.

Das Prüfverfahren hat hervorgebracht, dass die Post tatsächlich im Rahmen des Gewerbes "Adressverlage und Direktmarketingunternehmen" mittels statistischer Verfahren u.a. die Parteiaffinitäten von Personen ermittelt.

Die Datenschutzbehörde hat festgestellt, dass diese Daten ohne Einwilligung der betroffenen Personen nicht verarbeitet werden dürfen. Es wurde angeordnet, diese Datenverarbeitung mit sofortiger Wirkung zu unterlassen und die Daten zu löschen, sofern im Einzelfall kein Grund für eine weitere Verarbeitung gegeben ist. Dies könnte insbesondere der Fall sein, wenn es um die Bearbeitung von Auskunftsersuchen geht oder tatsächlich eine Einwilligung zur Verarbeitung vorliegt.

Darüber hinaus stellte die Datenschutzbehörde fest, dass die Datenschutz-Folgenabschätzung für diese Datenverarbeitung und der Eintrag in das interne Verzeichnis der Verarbeitungstätigkeiten mangelhaft sind. Es wurde angeordnet, die Datenschutz-Folgenabschätzung zu wiederholen und den Eintrag richtigzustellen.

For more information, please contact the Austrian supervisory authority at dsb@dsb.gv.at 

31 January 2019

The Hellenic DPA, in order to a) explore the level of compliance with the General Data Protection Regulation (GDPR) -six months after its entry into force- and the specific legislation on e-privacy, b) raise the awareness of data controllers and data subjects, and also c) exercise its envisaged powers, has carried out the following “ex officio” investigation, which was initiated in December 2018 and is ongoing:

More particularly, the Hellenic DPA carried out an investigation to 65 controllers operating online in the fields of financial services, insurance services, e-commerce, ticket services and public sector services, for exploring the way specific requirements are met in the areas of transparency, the use of cookies, the sending of online messages and the security of websites through indicative checkpoints, perceived to the citizen in their navigation and the use of internet services.

  1. The initial conclusions that were drawn as a result of this initiative highlight, in general, the lack of compliance with the legislation on cookies and relevant technologies in almost all the controllers.
  2. There was also a lack of information on the processing operations and the recipients of the data at around 40% of the controllers. It is worth noting that the public sector lags behind in compliance, mainly with regard to transparency, in almost all of the organizations that were investigated.
  3. On the contrary, at a high percentage of more than 80% of data controllers, a satisfactory level of security was observed.
  4. Furthermore, a sufficient degree, more than 70%, of Data Protection Officers’ designation was noted in the private sector.

On the basis of the final conclusions of this first large-scale investigation to check compliance, after the entry into force of the Regulation, the DPA will exercise its powers that are envisaged by the pertinent provisions.

The investigation was presented in the Authority’s recent Information Day on the occasion of the 13th European Data Protection Day on January 28th and is available in Greek at www.dpa.gr  (http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/EUROPEAN_DP_DAY_GENERAL/2019_DP_DAY/FILES%202018/PANAGOPOULOU_G.PDF).

For further questions, please contact the Hellenic Data Protection Authority: contact@dpa.gr

21 January 2019

On 21 January 2019, the CNIL’s restricted committee imposed a financial penalty of 50 Million euros against the company GOOGLE LLC, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.

On 25 and 28 May 2018, the National Data Protection Commission (CNIL) received group complaints from the associations None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). LQDN was mandated by 10 000 people to refer the matter to the CNIL. In the two complaints, the associations reproach GOOGLE for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes.

The handling of the complaints by the CNIL

The CNIL immediately started investigating the complaints. On 1st June 2018, in accordance with the provisions on European cooperation as defined in the General Data Protection Regulation (“GDPR”), the CNIL sent these two complaints to its European counterparts to assess if it was competent to deal with them. Indeed, the GDPR establishes a “one-stop-shop mechanism” which provides that an organization set up in the European Union shall have only one interlocutor, which is the Data Protection Authority (“DPA”) of the country where its “main establishment” is located. This authority serves as “lead authority”. It must therefore coordinate the cooperation between the other Data Protection Authorities before taking any decision about a cross-border processing carried out by the company.

In this case, the discussions with the other authorities, in particular with the Irish DPA, where GOOGLE’s European headquarters are situated, did not allow to consider that GOOGLE had a main establishment in the European Union. Indeed, when the CNIL initiated proceedings, the Irish establishment did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by GOOGLE LLC, in relation to the creation of an account during the configuration of a mobile phone.

As the “one-stop-shop mechanism” was not applicable, the CNIL was competent to take any decision regarding processing operations carried out by GOOGLE LLC, as were the other DPA. The CNIL implemented the new European Framework as interpreted by all European authorities in the European Data Protection Board’s (EDPB) guidelines.

In order to deal with the complaints received, the CNIL carried out online inspections in September 2018. The aim was to verify the compliance of the processing operations implemented by GOOGLE with the French Data Protection Act and the GDPR by analysing the browsing pattern of a user and the documents he or she can have access, when creating a GOOGLE account during the configuration of a mobile equipment using Android.

The violations observed by the restricted committee

On the basis of the inspections carried out, the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act observed two types of breaches of the GDPR.

A violation of the obligations of transparency and information:

First, the restricted committee notices that the information provided by GOOGLE is not easily accessible for users.

Indeed, the general structure of the information chosen by the company does not enable to comply with the Regulation. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated  across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service.

Moreover, the restricted committee observes that some information is not always clear nor comprehensive.

Users are not able to fully understand the extent of the processing operations carried out by GOOGLE. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined. The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes. Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. Finally, the restricted committee notices that the information about the retention period is not provided for some data.

A violation of the obligation to have a legal basis for ads personalization processing:

The company GOOGLE states that it obtains the user’s consent to process data for ads personalization purposes. However, the restricted committee considers that the consent is not validly obtained for two reasons.

First, the restricted committee observes that the users’ consent is not sufficiently informed.

The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined.

Then, the restricted committee observes that the collected consent is neither “specific” nor “unambiguous”.

When an account is created, the user can admittedly modify some options associated to the account by clicking on the button « More options », accessible above the button « Create Account ». It is notably possible to configure the display of personalized ads.

That does not mean that the GDPR is respected. Indeed, the user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked. However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance). Finally, before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.

The fine imposed by the restricted committee and its publicity

The CNIL restricted committee publicly imposes a financial penalty of 50 Million euros against GOOGLE.

This is the first time that the CNIL applies the new sanction limits provided by the GDPR. The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.

Despite the measures implemented by GOOGLE (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations. The restricted committee recalls that the extent of these processing operations in question imposes to enable the users to control their data and therefore to sufficiently inform them and allow them to validly consent.

Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.

Finally, taking into account the important place that the operating system Android has on the French market, thousands of French people create, every day, a GOOGLE account when using their smartphone. Furthermore, the restricted committee points out that the economic model of the company is partly based on the ads personalization. Therefore, it is of its utmost responsibility to comply with the obligations on the matter.

You can read the original press release here and in French here .

For further questions, please contact the CNIL directly: https://www.cnil.fr/en/contact-cnil