Comitetul European pentru Protecția Datelor

Noutăți naționale

On this page you will find news on GDPR enforcement by the national supervisory authorities. The press releases gathered here do not constitute official EDPB communication nor an endorsement. They are published strictly for information purposes and are represented here as they appeared on the supervisory authority's website or other channels of communication. Therefore, these news items are only available in English or in the Member State's official language with a short introduction. Any questions regarding these news releases should be directed at the supervisory authority concerned. You can find all supervisory authorities here.
11 February 2020

In October 2019, an administrative fine of € 120 000 was imposed on the Municipality of Oslo, the Education Agency, as a result of poor security of processing in the ‘Skolemelding’ mobile app. The app is used for communication between school employees, parents and pupils.

The fine was issued because the municipality had not implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The following were key elements in the Data Protection Authority’s assessment:
1.    One of the intended uses of the app is for parents to send messages regarding their children and absence from school using a free-text field. This enables communication of special category personal data, such as health data, regarding the children. There are no technical measures to prevent this from happening, and no information is given within the app that such transmission should be avoided. In line with data protection by design and default, alternative measures such as drop-down lists and tick boxes are more appropriate.
2.    Poor app login security made it possible for unauthorised persons to access and alter personal data of more than 63 000 pupils in the first to tenth grade.
3.    As a consequence of inadequate security testing before the app was launched, the app contained well-known security vulnerabilities.
Previously, the Data Protection Authority notified its intent to impose a fine of € 200 000 in response to the findings above. However, in the final amount was reduced to € 120 000 as there were mitigating factors present in the case. The municipality implemented measures to limit the damages as soon as it was made aware of the security flaws, and it has shown willingness to resolve the issues.
The Municipality of Oslo did not appeal the decision.

For further information, please contact the Norwegian SA:

01 February 2020

The Italian SA (Garante per la protezione dei dati personali) fined TIM SpA EUR 27,802,496 on account of several instances of unlawful processing for marketing purposes. The infringements concerned on the whole millions of individuals.

From January 2017 to the beginning of 2019, the SA received hundreds of complaints regarding, in particular, unsolicited marketing calls that had been performed without any consent or in spite of the called parties’ inclusion in the public opt-out register; in yet other cases, the called parties had clearly denied their consent to receiving marketing calls. Allegedly unfair processing practices were also mentioned in the complaints with regard to prize competitions and the relevant forms as submitted by TIM to users.
Complex investigations were carried out also with the support provided by a specialised unit of the Italian Financial Police and brought to light a number of severe infringements of personal data protection legislation.
TIM were proven to be insufficiently familiar with fundamental features of the processing activities they performed (accountability).
In many cases out of the millions of marketing calls that had been placed in a six-month period with ‘non-customers’, the SA could establish that the call centre operators relied upon by TIM had contacted the data subjects in the absence of whatever consent. In one case, a person was contacted 155 times in one month. In about two hundred thousand cases, ‘off-list’ numbers – that is, numbers not included in TIM’s list of marketing numbers – had been called. Other types of illicit conduct were also found such as TIM’s failure to supervise the activities of some call centres or to properly manage and update their blacklists (listing individuals who do not wish to receive marketing calls), and the fact that consent to marketing activities was mandatory in order to join the ‘Tim Party’ incentive discount scheme.
Inaccurate, unclear data processing information was provided in connection with certain apps targeted to customers and the arrangements for obtaining the required consent were inadequate. In a few cases paper forms were to be filled in where a single consent statement was available in respect of different purposes including marketing.
The data breach management system proved ineffective as well and no adequate implementation and management systems were in place regarding personal data processing, which fell short of privacy by design requirements. TIM’s blacklists were found not to match those of the contractor call centres, and this also applied to the recordings of the ‘verbal orders’ - that is, the contracts stipulated on the phone. The numbers relating to other phone operators’ customers, which TIM held in their capacity as network provider, were stored for longer than permitted by the law and had been used for marketing campaigns without the customers’ consent.
As well as the fine, the Italian SA imposed 20 corrective measures on TIM including both prohibitions and injunctions. In particular, the SA banned TIM from using, for marketing purposes, the data of the users that had denied their consent to marketing calls when contacted by call centres, of the users included in the black lists, and of the ‘non-customers’ that had not given their consent.
The company is not permitted to use any longer the customer data that were collected via the ‘MyTim’, ‘TimPersonal’ and ‘TimSmartKid’ apps for purposes other than the provision of the relevant services without the users’ free, specific consent.

The injunctions issued by the Italian SA include the obligation for TIM to check consistency of their blacklists and to timely acquire those put together by call centres so as to update their own blacklists. TIM will have to reconsider the ‘TimParty’ scheme and enable customers to access discount schemes and prize competitions without having to consent to marketing activities. TIM will also have to check the app activation procedures; always specify, in clear and understandable language, the processing activities they perform along with the purposes and the relevant processing mechanisms; and obtain valid consent. TIM will have to implement technical and organisational measures in respect of data subject rights requests and enhance the measures to ensure quality, accuracy and timely updates of the personal data that are processed in their individual systems.
The measures and implementing arrangements imposed will have to be in place and notified to the Italian SA according to a specific timeline, whilst the fine will have to be paid within thirty days.

For further information, please contact the Italian SA:

27 January 2020

The Commissioner for Personal Data Protection (Cypriot SA) fined LGS Handling Ltd, Louis Travel Ltd and Louis Aviation Ltd (Louis Group of Companies) for a total amount of EUR 82,000.00, concerning the lack of legal basis of “Bradford Factor” tool, which was used to score sick leaves of employees.

The Commissioner launched an investigation after a complaint was lodged by the employees’ trade union.

The reasoning behind Bradford's Factor automated system for scoring employees' sick leave was that short, frequent, and unplanned absences lead to a higher disorganising of the company rather than longer absences.

The date and the frequency of a sick leave relating to an individual, insofar as his or her identity is directly or indirectly disclosed, entail the processing of "special categories of personal data", as defined under Article 9(1) of the GDPR. Providing personal data to an automated system, scoring the data using 'Bradford Factor', and profiling individuals based on the results, is considered as processing of personal data; therefore such a processing operation needs to be in line with the principles defined in the GDPR.

The controller carried out an impact assessment of the processing operation, and it was submitted to the Commissioner for consultation during the investigation. The Commissioner was of the opinion that the controller failed to demonstrate through the impact assessment that its legitimate interest prevailed over the interests, rights and freedoms of its employees and consequently the mitigation of the risks was inadequate.

In the course of the investigation, we made use of the possibility to raise legal questions to the other EEA SAs via the so called Mutual assistance procedure and received input from 25 authorities. The replies received validated the absence of legal basis of the said processing and highlighted the necessity to regulate such issues with specific rules in line with article 88 of the GDPR.

After assessing all the elements gathered for the purpose of the investigation, the Commissioner decided that such processing operation had no legal basis. Primarily, it had not been established that the legitimate interest of the controller overrides the interests, rights and freedoms of its employees, which would enable the controller to rely on article 6(1)(f) of the GDPR. Likewise, none of the provisions of Article 9(2) of the GDPR would apply in this case, enabling the controller to process health data of employees.

The controller, as the employer, was entitled to supervise the frequency of sick leaves and the validity of sick leaves certificates. However, such a perquisite should not lead to mishandling and should be applied within the limits set by the relevant legislative framework.

Having established such unlawful conduct, the Commissioner ordered the controller to interrupt the processing and delete all data collected. Moreover, a fine of €70.000 was imposed to LGS Handling Ltd, a fine of €10.000 was imposed to Louis Travel Ltd and a fine of €2.000 was imposed to Louis Aviation Ltd, in relation to the infringements of articles 6(1) and 9 of the GDPR.

When deciding on the amount of the administrative fines, due regard was given to the number of data subjects (818 employees in total), the nature and duration of the infringements and the relevant turnover of the companies.

The full decision in Greek is available here

For further information, please contact the Cypriot SA:

17 January 2020

The Italian Supervisory Authority imposed two fines on Eni Gas and Luce (Egl), totalling EUR 11,5 million, concerning respectively illicit processing of personal data in the context of promotional activities and the activation of unsolicited contracts. The fines were determined in the light of the parameters set out in the EU Regulation, including the wide range of stakeholders involved, the pervasiveness of the conduct, the duration of the infringement, and the economic conditions of Egl.

The first fine of EUR 8,5 million relates to unlawful processing in connection with telemarketing and teleselling activities as found during inspections and inquiries that were carried out by the Authority following several dozens of alerts and complaints received in the immediate aftermath of the full application of the GDPR.  
The verifications revealed a limited number of cases, which however pointed to ‘systematic’ conduct  by Egl and highlighted serious criticalities with regard to the general processing of data.

The violations brought to light include advertising calls made without the consent of the contacted person or despite that person’s refusal to receive promotional calls, or without triggering the specific procedures for verifying the public opt-out register; the absence of technical and organisational measures to take account of the indications provided by users; longer than permitted data retention periods; and the acquisition of the data on prospective customers from entities (list providers) that had not obtained any consent for the disclosure of such data.

Having declared the conduct detected as unlawful, the Italian SA ordered Egl to put in place procedures and systems in order to verify, also by examining a large sample of customers, the consent of the persons included in the contact lists prior to the start of promotional campaigns. Egl will also have to ensure full automation of data flows from its database to the company’s own black list, i.e., the list of those who do not wish to receive advertising.  

The Italian SA further prohibited the company from using the data made available by the list providers  if the latter had not obtained specific consent for the communication of such data to Egl.

The second fine of EUR 3 million concerns breaches due to the conclusion of unsolicited contracts for the supply of electricity and gas under ‘free market’ conditions. Many individuals complained to the Authority that they learned about the conclusion of a new contract only on receiving the letter of termination of the contract with the previous supplier or else the first Egl bills. In some cases, the complaints reported incorrect  data in the contracts and forged signatures.

About 7200 consumers were affected by the above serious irregularities. The Authority’s findings showed that the conduct of Egl in acquiring new customers through certain external agencies operating on its behalf led, in organisational and managerial terms, to processing activities in breach of the EU Regulation  as they violated the principles of data fairness, accuracy and up-to-dateness.

Having established such unlawful conduct, the Italian SA ordered Egl to take several corrective measures and to introduce specific alerts in order to detect various procedural anomalies.  

Implementation of the above measures will have to take place and be communicated to the Authority within a set timeframe, while the fines will have to be paid within 30 days.

To read the press release in Italian, click here

For further information, please contact the Italian SA:

14 January 2020

The Ηellenic DPA in response to a complaint conducted an investigation regarding the lawfulness of personal data processing on a server of ‘ALLSEAS MARINE S.A.’, as well as the lawfulness of access to and inspection of deleted emails of a senior manager for whom there was suspicion that he had committed unlawful acts against the company’s interests.

The Authority found that the company as a controller had complied with the requirements of the GDPR and that its internal policies and regulations provided for a ban on the use of the company’s electronic communications and networks for private purposes, and for the possibility of carrying out internal inspections. The company therefore had a legal right under Articles 5(1) and 6(1)(f) of the GDPR to carry out an internal investigation searching and retreating employee’s emails.

The DPA, on the other hand, found that the closed-circuit video-surveillance system had been installed and operated illegally and, in addition, the recorded material submitted to the Authority was considered to be illegal.

Finally, the Authority found that the company did not satisfy the employee’s right of access to his personal data contained in his corporate PC.

Following the finding that the GDPR had been infringed, the Authority decided in this particular case to exercise its corrective powers under Article 58(2) of the GDPR by means of corrective measures, and decided to:

i) order the company to comply immediately with the complainant’s request to exercise his right to access and information concerning his personal data stored in the company’s computer that the complainant used, and inform the Authority thereof;
ii) ensure within one (1) month of receipt of the decision that the processing operations which take place by means of its video surveillance system comply with the provisions of the GDPR, and inform the Authority thereof, and, in particular:

(a) restore the application of the provisions of Article 5(1)(a) and (2) of the GDPR in accordance with the grounds of the judgement;
(b) also restore the application of the other provisions of subparagraphs (b) to (f) of Article 5(1) of the GDPR in so far as the infringement found affects the internal organisation and compliance with the provisions of the GDPR by taking all necessary measures under the principle of accountability;
iii) impose on the company an effective, proportionate and dissuasive administrative fine, as appropriate in the case of illegal installation and operation of a closed-circuit video-surveillance system, in accordance with the specific circumstances of this case, amounting to fifteen thousand euros (EUR 15,000.00).

Decision 43/2019 is available in Greek on  “Decisions”

For further information, please contact the Hellenic DPA: