Europeiska dataskyddsstyrelsen

Nationella nyheter

On this page you will find news on GDPR enforcement by the national supervisory authorities. The press releases gathered here do not constitute official EDPB communication nor an endorsement. They are published strictly for information purposes and are represented here as they appeared on the supervisory authority's website or other channels of communication. Therefore, these news items are only available in English or in the Member State's official language with a short introduction. Any questions regarding these news releases should be directed at the supervisory authority concerned. You can find all supervisory authorities here.
06 August 2020

The National Credit Register (BKR) in the Netherlands can no longer charge people who wish to access the personal data it holds on them. In addition, if data subjects wish to receive a copy of their data by post, the procedure must be simple, and they must be able to request a new copy after a reasonable period of time has passed. The BKR had created too many obstacles for people wishing to access their data. Under privacy legislation, this is not permitted. As a result, the Dutch Data Protection Authority (Dutch DPA) issued the BKR with a €830,000 fine. 

The Dutch DPA received complaints from data subjects about the difficulties involved in accessing the data the BKR held on them. The Dutch DPA considered these complaints significant enough to warrant an investigation.

Accessing credit registration data
In the words of Dutch DPA chairman Aleid Wolfsen, ‘It is vital that people are able to access their credit registration data. A poor credit score can affect a person’s ability to take out a loan or mortgage. So it is important for people to be able to quickly and easily check what data of theirs is being processed and if this is being done in the proper manner.’ 

The issue
In May 2018 the BKR began charging a fee to data subjects for requesting access to their data in a digital format. Furthermore, although data subjects could obtain a paper copy of their data for free, this was only possible once a year. This situation was an infringement of privacy legislation, and led to the BKR being fined €830,000.

Following the Dutch DPA’s investigation, the BKR has modified its processes. Since April 2019 data subjects have been able to access their data for free. In addition, in March 2019 the BKR changed the number of times a year data subjects can receive a paper copy of their data by post. 

What’s next?
The BKR has appealed the case in court, which means that the Dutch DPA’s decision about the fine is not yet final. 

The Dutch version of this press release is available here

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
29 July 2020

Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information imposes fine on AOK Baden-Wuerttemberg – 
Effective data protection requires regular monitoring and adjustment 

Due to an infringement of the obligations of secure data processing (article 32 of the European General Data Protection Regulation, GDPR), the Department of Fines of the Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information (LfDI) has issued a fine of 1,240,000 € against the AOK Baden- Wuerttemberg. At the same time, the Department of Fines, in constructive collabora-tion with the AOK, also paved the way for an improvement of the technical and organ-isational measures for the protection of personal data at the AOK Baden- Wuerttemberg. 

From 2015 to 2019, the AOK Baden-Wuerttemberg hosted raffles on different occa-sions. Within this context, the AOK collected the participants’ personal data, including contact details and health insurance affiliation. Inter alia, the AOK wished to use this data for advertisement purposes, provided that the participants had consented ac-cordingly. Through technical and organisational measures, which included internal guidelines and data protection trainings, among others, the AOK wanted to ensure that only data of raffle participants who had given their prior and valid consent would be used for advertisement purposes. These measures set by the AOK did not, how-ever, comply with legal requirements. The personal data of more than 500 raffle par-ticipants were therefore used for advertisement purposes without their consent. No insurance data was concerned. 

The AOK Baden-Wuerttemberg discontinued all sales activities immediately after the allegation became known, in order to thoroughly check all procedures. In addition, the AOK created a task force for data protection in sales and made adjustments which concerned, in particular, internal procedures and control structures, besides the dec-larations of consent. Further measures are to be taken in close coordination with the LfDI. 

Within the frame that article 83 (4) GDPR sets for fines, the comprehensive internal reviews and adjustments of the technical and organisational measures, as well as the constructive cooperation with the LfDI, spoke in the AOK’s favour. Thus, an increase in the protection level for personal data related to the AOK’s sales activities was achieved within a short amount of time. In the future, the AOK will continue and, if necessary, adjust, these improvements and additional control mechanisms, in ac-cordance with the specifications and recommendations set by the Baden-Wuerttemberg State Commissioner of Data Protection and Freedom of Information. 

When assessing the fine, the Commissioner considered factors such as the size and the relevance of the AOK Baden-Wuerttemberg. He also paid special consideration to the AOK being a statutory health insurance and thus an important part of our health system, as the AOK has the statutory obligation to preserve, restore or improve the health of the insured persons. The GDPR requires fines to not only be effective and dissuasive, but also proportionate. Determining the amount of the fine, the Commis-sioner therefore had to ensure that the fulfilment of this statutory obligation would not be endangered. To this end, particular attention was paid to the challenges the AOK currently faces due to the Corona pandemic. 

“Data security is an ongoing task”, the Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information, Dr. Stefan Brink, stresses. “Technical and organisational measures need to be adjusted to the actual conditions on a regular basis, so as to ensure an appropriate level of protection in the long term.” In this con-text, great importance is regularly attached to ensuring conditions of data protection compliance, as well as to the good cooperation of controllers with the LfDI. Brink con-cludes, “Our aim is not to issue fines which are as high as possible, but rather to reach a data protection level which is as good and appropriate as possible.” 

If you have any questions you can reach call the number +49 (0)711 615541-23. For further information about data protection and freedom of information on the web please visit www.baden-wuerttemberg.datenschutz.de or www.datenschutz.de


The German version of this press release is available at www.baden-wuerttemberg.datenschutz.de.
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
27 July 2020

Within the framework of the Italian SA’s enforcement activities regarding telephone operators, Wind Tre SpA was fined about EUR 17 million on July 9th on account of several instances of unlawful data processing that were mostly related to marketing. The Italian SA had already issued a prohibitory injunction against the company, on account of similar infringements that had occurred when the previous data protection law was in force. 


The fine was imposed following complex investigations and inspections. Complaints were received from users against unsolicited marketing communications made without their consent via texting, emails, faxes, and automated phone calls. In several cases, the complainants had declared they had not been enabled to exercise their right to withdraw consent or object to the processing of their data for marketing purposes, partly on account of the inaccurate contact information provided in the information notices. In yet other cases, users’ personal data had been included in public phone listings despite the (at times reiterated) objections made by those users. 


The investigation showed that the MyWind and My3 apps had been configured in such a way as to require the user to consent, on each access, to processing for various purposes including marketing, profiling, communication of data to third parties, data enrichment and geolocation; withdrawal of such consent was allowed after 24 hours. 


Beyond these overarching flaws, the investigations by the Italian SA shed light on multifarious infringements affecting Wind Tre’s business partners. On account of those infringements, one such business partner was fined EUR 200,000 by the Italian SA and was banned from using the data its agents had collected and processed in the national territory without any consideration for data protection rules. This business partner had subcontracted – without relying on any legal instrument – whole sets of processing activities to call centres, which collected data in breach of the law.


The pleadings submitted by Wind Tre and the corrective measures implemented by the company, as also related to the centralised approach applying to marketing campaigns, were found inadequate by the Italian SA, which accordingly fined Wind Tre EUR 16,729,600 and prohibited any further processing of the data they had acquired without consent. The Italian SA also ordered the company to take technical and organisational measures to ensure effective oversight of their business partners, along with implementing procedures to respect users’ indications to be left alone. 


During its 9 July meeting, the Italian SA also assessed the findings of the investigations regarding another phone operator, i.e. Iliad; in that case, shortcomings were detected under different respects, in particular concerning employees’ access to traffic data. Accordingly, the company was fined EUR 800,000. 


Rome, 13 July 2020

You can find a link to the press release on the Italian DPA's offical webiste here.
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
20 July 2020

The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 5 000 on an individual entrepreneur running a non-public nursery and pre-school. 


Entrepreneur running a nursery and pre-school failed to provide the President of the UODO with access to personal data and other information necessary for the performance of its tasks - in this case for assessment whether the controller communicated a data breach to the data subject in accordance with the GDPR (Article 58(1)(e) of the GDPR). 


The controller notified to the President of the UODO a personal data breach, which consisted in losing access to personal data stored in the run private nursery and pre-school.


Given the lack of information necessary to carry out an assessment of the notification, the supervisory authority sent three requests to the entrepreneur to submit relevant explanations. Two of them weren’t collected on time, one was collected personally by the fined entity itself. The entrepreneur failed to respond to the requests of the President of the UODO. 


The obligation of an entrepreneur, that is an entity conducting professional business activity on the market, is to collect correspondence connected with the conducted activity. Course of action of the entrepreneur is incomprehensible, considering the fact that it notified a personal data breach to the President of the UODO and therefore should be expecting the DPA’s standpoint in this case.   


It is worth emphasizing that the activity conducted by the fined entity included the processing of personal data relating to children, who require special protection, since they can be less aware of the risk and consequences related to data processing.


When issuing the decision on imposing an administrative fine and determining its amount, the President of the UODO took into account as aggravating circumstances, among others, the severity of the breach and its duration, the intentional nature of the breach and the lack of cooperation of the controller with the supervisory authority. In view of the President of the UODO the imposed fine is proportional to the severity of the established breach and the possibility of paying the fine by the entrepreneurs without big detriment to the conducted activity. 


The fine imposed by the President of the Personal Data Protection Office is intended to discipline the entrepreneur in terms of proper cooperation with the President of the UODO, both in further course of the proceedings in the case of data breach notification, and in other possible future proceedings with participation of this entrepreneur conducted by the President of the UODO. It is a clear signal to all entities that disregarding their obligation to cooperate, on request, with the supervisory authority, especially by hindering access to information necessary for the performance of its tasks, is a serious infringement and as such is subject to fines. 


To read the press release is Polish, click here.
To read the full decision in Polish, click here.

 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
20 July 2020


The President of the Personal Data Protection Office (UODO), after having conducted an administrative proceeding instituted ex officio in the case of imposition of an administrative fine, imposed a fine in the amount of PLN 100 000 on the Surveyor General of Poland (Główny Geodeta Kraju, GGK).


The President of the Personal Data Protection established that the Surveyor General of Poland violated the provisions of the General  Data Protection Regulation (GDPR), where the breach consisted in failure to provide the supervisory authority during the conducted inspection with access to premises, data processing equipment and means, and access to personal data and information necessary for the President of the Office for the performance of its tasks. Furthermore, GGK did not cooperate with the President of the UODO during that inspection.


The President of the UODO is tasked with monitoring and enforcing the application of the GDPR. Within the scope of its competences, it conducts inter alia proceedings on the application of the provisions of the GDPR. For the performance of its tasks, the supervisory authority shall have a number of specific powers, including the right to obtain from the controller and the processor access to all personal data and to all information necessary for it, or the right to obtain access to any premises of the controller and the processor, including to any data processing equipment and means.


Moreover, the controller and the processor are obliged to cooperate with the supervisory authority in the performance of its tasks, as provided for in Article 31 of the GDPR.


An infringement of the provisions of the General Data Protection Regulation, consisting in failure to provide access to data and information by the controller or processor, shall result in a breach of the powers of the supervisory authority referred to in Article 58(1) of the  GDPR. Therefore, the President of the UODO considered it reasonable to impose an administrative fine.


Let us remind you that at the beginning of March 2020, the President of the Personal Data Protection Office decided on the necessity to perform an inspection of the processing by the Surveyor General of Poland on the portal GEOPORTAL2 of personal data from the poviat land and property registers, about which it informed GGK in the letter indicating the scope and the date of the inspection. In order to perform the inspection activities, the inspectors authorised by the President of the UODO presented their official identity cards and submitted personal authorisations containing information on the scope of the inspection to GGK. The Surveyor General of Poland did not allow for performing full inspection activities resulting from the submitted authorisations. Giving the reasoning for its position, GGK indicated that, according to its assessment, it was apparent from the scope of the inspection indicated in the authorisations that the inspection was to cover the numbers of land and property registers which, in its opinion, do not constitute personal data within the meaning of the provisions of the Geodetic (Surveying) and Cartographic Law.


Finally, GGK signed the authorisations entering a written note on them stating that it refused to carry out the inspection aimed at establishing inter alia: the grounds for the processing (including disclosing on GEOPORTAL2) of personal data, the sources of such data, the scope and type of disclosed personal data, and the method and purpose of that disclosure. Furthermore, the note allows to conclude that the Surveyor General of Poland consented to the performance of the inspection activities in the scope of determining whether appropriate technical and organisational measures have been implemented to ensure an adequate level of security of the data being subject to protection, and whether GGK has appointed a Data Protection Officer. Unfortunately, due to the lack of access by the inspectors to the IT systems used by GGK and the necessary inspections of the IT system during the inspection it has not been established whether GGK has implemented appropriate technical measures to ensure data security. In view of the above, in the course of the inspection it was only established what organisational measures GGK used for data security and whether a Data Protection Officer was appointed.


An inspection protocol has been drawn up from the inspection activities carried out, which has been signed by the Surveyor General of Poland.


Due to the categorical lack of consent of GGK to carry out full inspection activities and the unambiguously expressed lack of will to cooperate, the inspectors could not determine how and on what legal ground - when providing information from the land and property registers via the GEOPORTAL2 online portal (geoportal.gov.pl) - it enable access to personal data contained in land and property registers and whether GGK has implemented appropriate technical measures to ensure data security. During the inspection, it was not possible to investigate what was the main subject of the inspection, because all operations could not be carried out. In this respect, the inspection was thwarted by the Surveyor General of Poland.


In addition, there is a separate proceedings pending before the President of the UODO in the case of a breach consisting in the processing of personal data in the form of the numbers of land and property registers on GEOPORTAL2 online portal without a legal basis.


To read the information on hindering the inspection by GGK and on issuing the decision by the President of the UODO in Polish, click here


To read the press release is Polish, click here.
To read the full decision in Polish, click here.
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
16 July 2020

The Belgian DPA just imposed a €600.000 fine on Google Belgium for not respecting the right to be forgotten of a Belgian citizen, and for lack of transparency in its request form to delist.

A Belgian citizen had requested the removal of links containing negative information about him. The request was refused by Google.

The Litigation Chamber of the Belgian DPA found that some of those links were needed for public interest and should not be removed: the citizen plays indeed a role in public life and the links concerned a presumed relation with a political party. The other links contained information that was outdated, unsubstantiated and could seriously damage the reputation of the citizen. The Belgian DPA considers that those links should have therefore been delisted by Google. For the Belgian DPA it is important to note that the facts of the case were clear, leaving Google no reasonable room to decide otherwise.   

What’s more, Google lacked transparency in their delisting form, as well as in their response to the data subject.

For these reasons, the Belgian DPA decided to impose a fine of €600.000. This is the highest fine ever imposed by the Belgian DPA.

The Belgian DPA considers to be competent in this case, including because Google argued that their main establishment in Europe (Google Ireland) was not responsible for delisting activities. The decision contains a detailed explanation of the responsibilities of the various establishments of Google.    

The decision (currently only in French) is available here.

 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

10 July 2020

The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 15 000 on East Power company from Jelenia Góra for failing to provide the supervisory authority with access to personal data and other information necessary for the performance of its tasks.

The fined company provides employment services in Poland and Germany, and a complaint against its actions was lodged by a German citizen because it processed his personal data for marketing purposes. The complaint was lodged with the German data protection authority competent for Rhineland-Palatinate, but it was taken over for consideration by the President of the UODO, who was the so-called lead authority in this case, because the company is established in Poland.

Within the framework of this proceeding, the President of the UODO sent three requests to the company to submit explanations. Two of them (correctly served and received by the company) remained unanswered. The company replied to one of the requests, but its explanations were incomplete and contradictory. In the opinion of the President of the UODO, they were manifestly insufficient to establish the facts of the case. Due to such conduct of the company, the President of the Personal Data Protection Office considered that it intentionally impedes the course of proceedings or at least ignores its obligations related to cooperation with the supervisory authority. The President of the UODO therefore considered it necessary to initiate a separate proceedings for the imposition of an administrative fine on it.

It was only in response to the notice of initiation of the proceedings that the company provided more extensive explanations, but they were incomplete and required further investigation. Therefore, the President of the Personal Data Protection Office considered that the company does not want to cooperate with it and does not fulfil the obligation – provided for in the GDPR – to provide it with access to personal data and other information necessary for the performance of its tasks, in this case for handling a complaint lodged by a German citizen.

When issuing the decision to impose an administrative fine on East Power Sp. z o.o. and determining its amount, the President of the UODO took into account as aggravating circumstances, among others, the seriousness of the breach (undermining the proper functioning of the personal data protection system specified by the GDPR), the intentional nature of the breach and the unsatisfactory degree of cooperation of the controller with the President of UODO in order to remedy the breach and mitigate its consequences.

Sanctions imposed by the President of the Personal Data Protection Office in the form of administrative fines are intended to discipline controllers and processors. Their disregard for their obligations related to cooperation with the President of the UODO leads to prolonging the proceedings conducted by it. In this way, it is difficult to exercise the rights of persons whose personal data are being violated.

The above situation occurs in the case of the fined company. By its actions, it makes it impossible to handle the complaint of a German citizen and to issue a decision by the President of the UODO determining the case relating to the complaint lodged.

To read the press release is Polish, click here

To read the full decision in Polish, click here

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
26 June 2020

The Belgian Data Protection Authority has imposed a fine of 1,000 EUR on an association that, on the basis of its legitimate interest (Article 6.1, f) GDPR), sent direct marketing messages to (former) donors for its fundraising. The administrative fine was imposed following a complaint lodged with the Belgian Data Protection Authority by a former donor of the association as the latter had not complied with the request for data erasure addressed by the data subject to the data controller pursuant to Article 17.1 GDPR and its right to object pursuant to Article 21.2 GDPR.

The Litigation Chamber decided that the data controller thereby infringed Articles 6.1, 17.1, c) and d), 21.3 and 21.4 GDPR.

First of all, the Litigation Chamber found that the data controller did not comply with the data erasure request and the data subject's right to object. Secondly, the Litigation Chamber held that the association could not validly invoke its legitimate interest as a ground for the processing in the present case since it did not meet the cumulative conditions imposed by the case law of the Court of Justice of the European Union - and in particular the Rigas judgment - in this respect. According to this case law, in order to invoke Article 6.1, f) GDPR, the controller must demonstrate that i) the interests pursued by the processing, can be recognized as legitimate ("purpose test"), ; ii) the intended processing is necessary for the purposes of the intended processing ("necessity test") and iii) the balancing of these interests against the fundamental rights and freedoms of the persons concerned by the data protection weighs to the favour of the controller or of a third party ("balancing test"). In the present case, the Litigation Chamber decided that the third condition of article 6.1, f) GDPR and the case law of the Court of Justice was not fulfilled.

More specifically, the Litigation Chamber found that there were doubts as to whether the data subject could reasonably expect his data to be processed for direct marketing purposes years after the collection of these data (recital 47 GDPR). Moreover, the Litigation Chamber found that the data controller had not sufficiently facilitated the right of objection.

This decision implements the 2020-2025 Strategic Plan of the Belgian Data Protection Authority, of which 'direct marketing' is one of the priority strategic points. The Litigation Chamber also refers to Recommendation No 01/2020 of the Belgian DPA in this respect.

To read the full decision in Dutch, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
22 June 2020

The Norwegian Data Protection Authority has notified the Norwegian Institute of Public Health (NIPH) of its intention to impose a temporary ban on the processing of personal data in connection with the Smittestopp contact tracing mobile application. NIPH has nowtemporarily suspended all use of the app.
 
On Monday 15 June, NIPH announced that they have decided to suspend the app and erase all data until further notice, but that they will provide a formal response by 23 June, which is the date set by the Data Protection Authority. The notice entails a temporary ban on all collection of personal data by NIPH through the app.

Intervention no longer proportionate

“NIPH has chosen to suspend all collection and storage of data immediately. I hope they use the time left until 23 June well, both to document the benefits of the app and to make other necessary changes, so that they can resume use of it,” says Data Protection Authority Director-General Bjørn Erik Thon.
The basis for the notice is the Data Protection Authority’s assessment that the Smittestopp app can no longer be considered a proportionate intervention in the users’ fundamental rights to data protection.

“Smittestopp is a highly invasive measure in terms of data protection, even in these special circumstances, where our society is fighting a pandemic. We do not see the utility, given our current situation and the way the technical solution is designed and presently working,” Thon says.

Legality hinges on public benefit

Smittestopp is a digital solution for contact tracing. It can notify the user if they have been in close contact with people infected with Covid-19. By analysing anonymized and aggregated data of population movement patterns, NIPH will also evaluate infection control measures and monitor rates of transmission through society. Smittestopp collects large quantities of personal data about app users, including continuous location data and information about app users’ contact with others.

“Our notice does not mean that we can’t use technology and apps to fight this pandemic. However, the legality of Smittestopp hinges on its public benefit,” Thon says. “We have considered the solutions chosen for the Smittestopp app, the low proliferation of the app, with users accounting for approximately 14 percent of the population aged 16 and older, and the rates of infection in the general population. We have also taken into account the National Institute of Public Health’s release stating that the rate of infection is currently so low that it is difficult to validate that the app’s alerts are notifying the right people — not too many and not too few.”

Location data from GPS and Bluetooth

Currently, Smittestopp users cannot choose to provide personal data for contact tracing purposes without also agreeing to the data being used for analysis and research. These different purposes require different types of personal data. We question the lack of choice for the users. Several other European countries have developed contact tracing apps that rely solely on Bluetooth technology and that do not collect GPS-based location data. The World Health Organization (WHO) has also posted several publications related to digital proximity tracking for Covid-19 (example link).

“The European Data Protection Board has concluded that the use of location data in contact tracing is unnecessary and recommend the use of Bluetooth data only. We do not find that NIPH has sufficiently justified the need to use location data for contact tracing and await new information from NIPH on this issue,” Thon says.
Smittestopp currently only has contact tracing functionality in combination with notification in three test municipalities: Drammen, Trondheim and Tromsø.
“Also, no solution for anonymizing and aggregating data for analysis has yet been implemented.The app nevertheless continually collects personal data from all users,” Thon says.

Going forward

The Data Protection Authority has invited the National Institute of Public Health to a meeting on Friday 19 June to further discuss this matter. NIPH has until 23 June to provide a response to the order.

“There are many different things we need to discuss. The design of the request for approval and the use of GPS in contact tracing are central issues, but we also need to discuss the anonymization solution, which is not yet in place. A solution for how to handle requests for access will also be a topic for discussion. We need to see some specific changes on these important issues,” Thon says.

To read the press release in Norwegian, click here

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
19 June 2020

The Swedish Data Protection Authority (DPA) has investigated a co-operative housing association’s use of video surveillance on its property. The DPA concludes that the association has gone too far when using video surveillance in the main entrance and the stairwell and when recording audio.

The Swedish DPA has received complaints claiming that a co-operative housing association monitors the stairwell in the association’s apartment building. The DPA has now finished an audit of the association.

The Swedish Data Protection Authority’s investigation shows that the association has four surveillance cameras installed. Two are located in the stairwell, one in the main entrance and one is directed towards a distribution box in the association’s storage room. All cameras record video and audio non-stop 24 hrs 7 days a week.

For the two cameras set up in the stairwell, the Swedish Data Protection Authority notes that these allow the association to map the habits, visits and social circle of the residents. “Already the fact that the surveillance is of the residents and their home environment means that it requires very strong reasons for the monitoring to be allowed,” writes the authority in its decision.

– Under special circumstances, a co-operative housing association may monitor a stairwell. However, in order for such surveillance to be allowed, the association must be able to demonstrate a pressing need for such video surveillance and that has not been the case here, says Nils Henckel, legal advisor at the Swedish DPA.

The third camera is set up at the main entrance and the association states that it is to combat problems with vandalism, which it had experienced during two months in 2018. The Swedish DPA stresses the obligation to continuously review whether a need for video surveillance is justified and concludes that no such need was still present to date.

As for the fourth camera, which is directed towards the distribution box, the DPA concludes that it must be re-directed so that it does not monitor the residents’ storage facilities.

Furthermore, the Swedish Data Protection Authority notes that audio recording constitutes an additional intrusion into the private sphere, in particular when recorded in a residential building, and that there are no circumstances that motivates such intrusion in this case.

The Swedish DPA also concludes that the association has failed to properly inform the residents about the video surveillance. That includes the lack of information about the data controller, where to turn to for further detailed information and that audio is recorded, which is a particularly severe omission.

The Swedish Data Protection Authority orders the co-operative housing association to stop the video surveillance of the stairwell and entrance, to cease audio recording for the surveillance camera by the distribution box and to improve the information provided concerning the video surveillance. The Swedish Data Protection Authority furthermore issues an administrative fine of 20 000 Swedish kronor (approximately 2 000 euro) against the association. When calculating the amount of the fine, consideration was taken to the fact that it was a smaller co-operative housing association.

To read the press release in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
19 June 2020

The Belgian DPA has imposed a fine of 10 000 EUR on a controller for sending a direct marketing message to the wrong person and for not responding adequately to the data subject’s subsequent request for access to his data. The marketing message was sent to the plaintiff, instead of to another person who had the same name, but another email address. This incorrect processing is due to a human error. As a result, the plaintiff exercised his right of access, which did not run smoothly. The Belgian DPA established that the controller did not sufficiently answer to the request of the plaintiff (Article 15 GDPR), did not respond within the deadline set by the GDPR (Article 12.3 GDPR) and was not sufficiently transparent (Article 12.1 GDPR). For these reasons, the Belgian DPA considers that the exercise of the rights of the plaintiff were not sufficiently facilitated, as required by article 12.2 of the GDPR.

To read the full decision in French, click here

For further information, please contact the Belgian DPA contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
16 June 2020

The Belgian DPA has imposed a fine of 1000 euro on a controller for not responding to a request from a citizen to object to the processing of his data for marketing purposes (article 15.3 GDPR), and for not collaborating with the authority (article 31 GDPR).

In a previous decision, the Belgian DPA had ordered the controller to meet the request of the plaintiff and to notify the Belgian DPA of the action taken on the request. The controller did not react to this injunction. When the controller, at a later stage, was asked why they did not comply with the injunction of the Belgian DPA, the controller demonstrated a cavalier attitude and a complete lack of interest for both the application of the GDPR and the procedure. For this attitude, as well as the established infringement of the right to object, the Belgian DPA decided to eventually impose a 1000 euro fine.

To read the full decision in French, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
10 June 2020

The Litigation Chamber of the Belgian Data Protection Authority imposed a fine of 5.000 EUR on a candidate in local elections for using the staff registry of a municipality to send election propaganda (in the form of a letter) to staff members. The Belgian municipality in question filed the complaint against the candidate.

The Litigation Chamber established the following elements:
-    A legal person (in this case the municipality) is entitled to file a complaint with the DPA.
-    Contrary to what was said by the defendant, the communication didn’t amount to normal communication between a municipal councilor, which the defendant was at the time, and municipal staff. The content of the letter sent shows that it was indeed election propaganda.
-    A violation of article 5, 1., b (purpose limitation) occurred, considering that the staff register is not meant to be used for other purposes than the internal management of the municipality
-    The Litigation Chamber could find no legal basis for a lawful processing of data from the staff register and therefore also concluded in a violation of articles 5, 1., a) and 6, 1 (lawfulness of processing).
The imposition of a fine of 5.000 EUR was done on the basis of previous similar decisions by the Litigation Chamber of the BE DPA, where it had found that further processing of data gathered for municipal purposes with the intent of using them for political propaganda violated the principles of lawful processing and of purpose limitation.
The Litigation Chamber also considers that the defendant’s other positions in public service should have led him to a greater respect for rules on electoral campaigning, which include data protection rules.

To read the full decision in French, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
09 June 2020

Sanction procedure opened for not responding to the request for information made in order to investigate the facts identified in a complaint. The complainant requested the exclusion of his data from a debts file -Asnef - by an alleged debt to the energy supply company -Iberdrola-.
 
The complaint was transferred to Iberdrola and it was required to forward to the AEPD the information and documents requested in the letter. After receiving no response, the complaint was accepted.
 
Investigations were then carried out and the entity was again required to report on the facts denounced. This new request was also not answered. In a nutshell, Iberdrola had not provided the information required and consequently hindered the investigative powers that each supervisory authority has, infringing Article 58.1 of the GDPR.
 
This infringement is typified in Article 83.5(e) of the GDPR and is classified for prescription purposes as very serious. It has also been taken into account that Iberdrola is a large undertaking, not newly created and therefore should have established procedures for the fulfilment of the obligations under the data protection regulations, including provide any information required by the supervisory authority. For this reason, it was sanctioned with 5,000 euros, reduced to 4,000 euros as it benefited from voluntary payment reduction according to the Spanish Procedure Law.

To read the full decision in Spanish, click here

For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
04 June 2020

The Office of the Data Protection Ombudsman’s sanctions board imposed an administrative fine on Taksi Helsinki Oy for violations of data protection legislation on 26 May. The company had not assessed the risks and effects of personal data processing before adopting a camera surveillance system that records audio and video in its taxis. Deficiencies were also noted in the information provided to customers and the documentation of personal data processing.

The Office of the Data Protection Ombudsman started an investigation on Taksi Helsinki’s personal data processing in November 2019. Serious deficiencies were found in the company’s processing of personal data.

The impact of the processing had not been assessed in accordance with data protection legislation.

Taksi Helsinki replaced its camera surveillance system with one that records both video and audio in the summer of 2019. However, the company did not assess the compliance of the related personal data processing with the GDPR.

The Deputy Data Protection Ombudsman ordered the company to conduct a balance test to evaluate, for example the necessity of personal data processing and its impact on the interests and rights of the data subjects.

Taksi Helsinki also failed to conduct the impact assessments required by the GDPR before the start of processing. Data protection impact assessments would have been required for security camera surveillance, location data processing and automated decision-making and profiling connected to the company’s loyalty scheme. The Deputy Data Protection Ombudsman ordered the company to carry out the required impact assessments.

No basis given for processing audio data

Taksi Helsinki reported that it processed the personal data of drivers, staff and the customers of its drivers with a camera surveillance system that records both video and audio. However, the company did not provide an explanation for why it only processed audio data from some of its taxis. The company later stated that the audio data had been processed by mistake.

The Deputy Data Protection Ombudsman found that the processing of audio data was not in line with the GDPR’s principle of data minimisation. She ordered Taksi Helsinki to ensure that the processing of audio data without appropriate grounds is stopped immediately.

Problems with basic data protection issues

The Deputy Data Protection Ombudsman’s investigation also revealed that Taksi Helsinki did not inform data subjects of the processing of their personal data in the manner required by data protection legislation. The notifications in the taxis did not say anything about audio recording or indicate from where customers could obtain information on it.

Neither did the company’s privacy statement contain information on the automated decision-making and profiling performed in its loyalty scheme. The Deputy Data Protection Ombudsman ordered the company to change its policies for informing customers to provide clear information on its processing of personal data. The information must also be easily accessible.

Deficiencies related to documentation and the definition of personal data processing roles were also discovered in the investigation. The Deputy Data Protection Ombudsman ordered Taksi Helsinki to rectify its procedures.

Administrative fine imposed

Several serious shortcomings in the identification of risks, compliance with data protection principles and implementation of the rights of data subjects were identified in Taksi Helsinki’s processing of personal data.

The Office of the Data Protection Ombudsman’s sanctions board imposed an administrative fine of EUR 72,000 on Taksi Helsinki. This amount was proportionate, effective and cautionary in the assessment of the board.  

The decisions of the Deputy Data Protection Ombudsman and sanctions board are not yet final and are open to appeal in the administrative court.

To read the full decisions in Finnish, click here.

For further information, please contact the Finnish DPA: tietosuoja(at)om.fi

The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and his two Deputy Data Protection Ombudsmen and has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
27 May 2020

The Office of the Data Protection Ombudsman’s sanctions board imposed administrative fines on three companies for violations of data protection legislation on 18 May. These violations concerned giving insufficient information on data protection rights, neglecting to conduct a data protection impact assessment and the unnecessary collection of personal data.

Deficiencies in information provided in connection with change-of-address notifications

The individuals who filed a complaint with the Data Protection Ombudsman had received communications and direct marketing from various companies after making change-of-address notifications to Posti Oy, which is the leading postal service operator in Finland. The investigation carried out by the Office of the Data Protection Ombudsman revealed that Posti had not informed the data subjects of their rights, including the right to object the disclosure of data, in connection with making change-of-address notifications.

The company should have informed its customers clearly about their right to object to the processing of their personal data. Posti had submitted such notifications only to customers who bought additional services in addition to making the change-of-address notification.
Posti had notified the Data Protection Ombudsman that it would look into possibilities for improving the transparency of personal data processing already in 2017. The company finally improved its practices for informing customers in 2020, after the Office of the Data Protection Ombudsman had contacted Posti again. The violations affected 161,000 customers in 2019 alone.

The sanctions board imposed an administrative fine of EUR 100,000 on Posti Oy.

The data protection impact assessment on the processing of employee location data had been neglected

The second decision concerned a complaint made to the Data Protection Ombudsman about how Kymen Vesi Oy processed the location data of its employees by tracking vehicles with a vehicle information system. The controller had not made the impact assessment required by the GDPR before starting to process the location data. The location data was used for monitoring working hours, among other things.

A data protection impact assessment is required if the processing is likely to result in a high risk to the rights and freedoms of data subjects. The assessment is necessary for example if the location data of vulnerable individuals is processed or the location data is used for systematic monitoring. The decision of situations in which a data protection impact assessment of the processing of location data is required can be found on the Data Protection Ombudsman’s website.
The sanctions board imposed an administrative fine of EUR 16,000 on Kymen Vesi Oy.

Job applicants’ personal data was collected unnecessarily

In the third case, the Data Protection Ombudsman had been notified about a company collecting unnecessary personal data from job applicants and employees. According to the Finnish Act on the Protection of Privacy in Working Life, the employer is only permitted to process data that is necessary in light of the employment relationship. Deficiencies were also discovered in the controller’s documentation related to compliance with the GDPR.

The company had asked for information on matters such as religious beliefs, state of health, possible pregnancy and family status of the data subjects.
The Data Protection Ombudsman ordered the company to delete the unnecessary data and issued a reprimand on the deficiencies in documentation. The sanctions board also imposed an administrative fine of EUR 12,500 on the company.

The decisions are not final since those can be appealed in the administrative court. The Office of the Data Protection Ombudsman publishes the name of the organisation on which the administrative fine was imposed if the matter is considered to be of public significance or the organisation could be confused with another.

Sanctions must be proportionate, efficient and cautionary

This was the first time that the sanctions board imposed administrative fines for violations of data protection regulations. The board has the right to impose administrative fines for data protection violations. The maximum amount of the administrative fine is 4 % of the company’s turnover or EUR 20 million.
The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, with the Data Protection Ombudsman serving as chairman. The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act.

To read the full decisions in Finnish, click here

For further information, please contact the Finnish DPA: reijo.aarnio(at)om.fi

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
15 May 2020

The Danish Data Protection Authority considers that in a case on the right of access, the Danish recruitment company JobTeam has not met the basic requirements of the General Data Protection Regulation (GDPR) that personal data must be processed lawfully, fairly and transparently.

JobTeam has been reported to the police and a fine of DKK 50.000 has been proposed. The company had erased personal data subject to the access request of a data subject during the period after the request was submitted and prior to the company's reply. The Data Protection Authority became aware of the case on the basis of a complaint.

Good data processing

‘Where a controller deletes information on the individual directly linked to the failure to meet an access request, the controller unlawfully denies the possibility of a review of the right of access by the data by the Data Protection Authority and the Courts. This is a violation of the citizen’s fundamental rights and is not an example of good data processing,” says Astrid Mavrogenis, Head of Unit in the Danish Data Protection Authority.

Fine proposal

The Data Protection Agency has decided to report JobTeam to the police and recommended that the company should pay a fine.

It is the view of the Danish Data Protection Agency that a breach of the fundamental principles of the regulation concerning processing security for an company in a case such as the one in question cannot, in principle, be penalised by a fine lower than DKK 50.000, if the basic requirement of effective and dissuasive penalties laid down by the regulation must be complied with at the same time. At the same time, when setting the amount of the fine, the Authority emphasises that the fine must be proportionate.

In most European countries, national data protection authorities can issue administrative fines themselves, but the rules are different in, inter alia, Denmark.

After having clarified and assessed the case, the Data Protection Authority (DPA) reports the data controller to the police. The police then considers whether there are grounds for bringing a charge, and finally any financial penalty will be decided by a court.

To read the press release in Danish, click here

For further information, please contact the Danish SA: dt@datatilsynet.dk

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
13 May 2020

The Swedish Data Protection Authority’s investigation shows that the Healthcare Committee in Region Örebro County made a mistake when publishing on the region’s website sensitive personal data about a patient admitted to a forensic psychiatric clinic.

The Swedish Data Protection Authority received a complaint against the Healthcare Committee in Region Örebro County, in which claims that sensitive personal data about a patient admitted to forensic psychiatry clinic had been published on the region’s website was put forward.

– Our investigation into the matter shows that sensitive personal data has wrongfully been published and thereby made accessible to the public on the region’s website”, says Elin Hallström, Legal Advisor at the Swedish Data Protection Authority.

The Swedish Data Protection Authority’s audit shows that there are no written instructions relating to the publication of documents and personal data on the website in place. Instructions for publishing information are instead communicated orally. In this case, the instructions had not been followed which led to the accidental publication of the document, suggesting that the Committee had not taken sufficient organizational measures to ensure that personal data is protected from being wrongfully published on the region’s website.

– For this reason, we are now ordering the Committee to establish written instructions and introduce measures that ensure that those who publishes personal data on the region’s website does so in accordance with set instructions.

In its decision, the Swedish Data Protection Authority also concludes that in terms of publication the Committee had neither a legitimate purpose, nor a legal basis, nor fulfilled the requirements for an exemption from the general prohibition against handling sensitive personal data in the General Data Protection Regulation.

The Swedish Data Protection Authority orders the Committee to bring its personal data handling into compliance and furthermore issues an administrative fine of 120 000 Swedish kronor (approx. 11 000 euro) against the Committee.

The published document in question has been removed from the region’s website.

To read the press release in Swedish, click here

To read the full decision in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se   

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
30 April 2020

The Swedish Data Protection Authority imposes an administrative fine of 200,000 Swedish kronor (approximately 18,700 euro) on the National Government Service Centre for failing to notify affected parties as well as the Data Protection Authority about a personal data breach in due time.

The Data Protection Authority (DPA) initiated an investigation against the National Government Service Centre (NGSC) upon having received a number of personal data breach notifications concerning an error in the IT system for salary administration. The error entailed the possibility of unauthorised access to personal data of both personnel of authorities using the system and of the personnel of the NGSC.

- Our investigation shows that it has taken too long for the NGSC to inform the concerned parties about the error and furthermore that the NGSC has failed to report the personal data breach to the DPA in due time. The documentation of the breach, as required under the GDPR, was also found incomplete with regards to the NGSC’s personnel and their data, says Elin Hallström, legal advisor, who has been leading the DPA’s audit.

The DPA noted that it took almost five months for the NGSC to notify the concerned parties and close to three months before the DPA received a data breach notification.

- When a data breach of this kind is discovered by a processor such as the NGSC in this case, it is important to inform the controllers as soon as possible so that they can report the breach to the DPA and take further actions to mitigate any related risks. The NGSC has failed to act in time.

In its decision the DPA orders the NGSC to introduce internal routines for the documentation of personal data breaches and to verify that those routines are abided by. Together with this order the DPA imposes an administrative fine on the NGSC of in total 200,000 Swedish kronor.

The National Government Service Centre coordinates the administration of government agencies by offering administrative support services to other government agencies. It offers basic services in the areas of salary administration, financial administration and eCommerce.

To read the press release in Swedish, click here
To read the full decision in Swedish, click here
For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se   

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
03 April 2020

The President of the Personal Data Protection Office imposed a fine of PLN 20 000 on Vis Consulting Sp. z o.o. in liquidation with the seat in Katowice, a company from telemarketing industry, for making it impossible to conduct inspection. Additionally, the company’s owner is subject to criminal liability for this.

The President of the Personal Data Protection Office (UODO) decided to conduct inspection activities at the penalised company, in connection with the findings made in the course of another inspection performed at the company conducting telemarketing activities. It was established that the company has a cooperation contract with regard to outsourcing of telemarketing services with Vis Consulting Sp. z o.o. Therefore, the supervisory authority found it necessary to conduct inspection activities at the entity which actually operated the telephone calls and processed the data.

Unfortunately, the UODO’s inspectors, after prior notification on the planned inspection, did not find anyone at the address indicated in the National Court Register (KRS). On the spot, there was only a company which leased office space to Vis Consulting Sp. z o.o. (so called virtual office).  

The inspectors managed, however, to contact Vis Consulting by telephone, and its proxy informed that the inspection would not take place.   
Therefore, the President of the UODO concluded that the company in no way wished to cooperate with the personal data protection authority. On two consecutive days of the planned inspection activities, the company made it impossible to carry out the inspection twice. Furthermore, on the date on which the inspectors attempted to conduct inspection at Vis Consulting Sp. z o.o., its authorities decided to liquidate that entity.

In the opinion of the President of the Office, this company does not comply with the obligations relating to the processing of personal data and, at least intentionally, avoids to be subject of inspection by the supervisory authority. Thus the company infringed the provisions of Article 31 of the GDPR with regard to Article 58(1)(e) and (f) of the GDPR referring to cooperation with the supervisory authority and enabling it access to all personal data and any information.
Hence, the President of the UODO concluded that the conditions for imposing a fine on the company were satisfied. In determining the amount of the fine, the supervisory authority did not identify any attenuating circumstances affecting the amount of the fine.

In connection with suspicion of commission of an offence under Article 108 (1) of the Act on the Protection of Personal Data by the President of the Company, the supervisory authority notified the District Public Prosecutor’s Office in Katowice thereof. According to that provision, the prevention or hindering of conducting inspection of compliance with the personal data protection provisions shall be subject to a fine, restriction of personal liberty or imprisonment for up to two years. The Public Prosecutor’s Office has already lodged an indictment against the President of the Company to the court.

To read the press release is Polish, click here

To read the full decision in Polish, click here

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this news release should be directed to the supervisory authority concerned.
11 March 2020

The Swedish Data Protection Authority imposes a fine of 75 million Swedish kronor (approximately 7 million euro) on Google for failure to comply with the GDPR. Google as a search engine operator has not fulfilled its obligations in respect of the right to request delisting.

In 2017 the Swedish Data Protection Authority (DPA) finalised an audit concerning how Google handles individuals’ right to have search result listings for searches that includes their name removed from Google’s search engine in case of for example lack of accuracy, relevance or if considered superfluous. In its decision the DPA concluded that a number of search result listings should be removed and subsequently ordered Google to do so.

In 2018, due to indications that Google had not fully complied with the previously issued order, the DPA initiated a follow-up audit. This audit is now finalised and the DPA is issuing a fine against Google.

– The General Data Protection Regulation, GDPR, increases the level of responsibility for organisations that collect and process personal data, and strengthens the rights of individuals. An important part of those rights is the possibility for individuals to have their search result delisted. We have found that Google is not fully complying with its obligations in relation to this data protection right, says Lena Lindgren Schelin, Director General at the Swedish DPA.

The Swedish Data Protection Authority is critical to the fact that Google did not properly remove two of the search result listings that the DPA had ordered them to remove back in 2017. In one of the cases Google has done a too narrow interpretation of what web addresses needed to be removed from the search result listing. In the second case Google has failed to remove the search result listing without undue delay.

When Google removes a search result listing, it notifies the website to which the link is directed in a way that gives the site-owner knowledge of which webpage link was removed and who was behind the delisting request. This allows the site-owner to re-publish the webpage in question on another web address that will then be displayed in a Google search. This in practice puts the right to delisting out of effect.

– In its delisting request form Google states that the site-owner will be notified of the request in a way that might result in individuals refraining from exercising their right to request delisting, thereby undermining the effectiveness of this right, says Olle Pettersson, legal advisor at the Swedish DPA who has participated in this audit of Google.

Google does not have a legal basis for informing site-owners when search result listings are removed and furthermore gives individuals misleading information by the statement in the request form. That is why the DPA orders Google to cease and desist from this practice.

Facts about the right to have search result listings removed
In May 2014 the Court of Justice of the EU ruled that an individual may request a search engine provider such as Google to remove a search result listing that contains the name of an individual in case the listing is incorrect, irrelevant or superfluous. This right was strengthened with the GDPR entering into force 25th May 2018. The right is however not absolute, you cannot demand that all search results are to be removed. Individuals who wish to exercise their right to request delisting should contact the search engine provider directly.
What happens next?
Google may appeal the decision of the Swedish DPA within three weeks. If Google decides not to appeal, the decision will enter into force by the end of that time period. Once the decision has entered into force it will be handed over to the Legal, Financial and Administrative Services Agency (Kammarkollegiet) that handles the administration of fines under the GDPR.

Note to editors:

The personal data processing in question is part of the processing operations carried out by Google as a search engine operator. For this part of Google’s activity it is Google LLC (parent company of the Google group) established in the United States that decides the purpose and means of the processing. Since there is no main establishment within the EU for this part of Google’s operations, each Supervisory Authority in the EU is competent for investigating possible infringements of the GDPR within their territory.

To read the press release in Swedish, click here

To read the full decision in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se  

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
10 March 2020

The Danish Data Protection Agency has reported the municipality of Gladsaxe and the Municipality of Hørsholm to the police, as it finds that the municipalities have not met the requirements of an adequate level of security under the General Data Protection Regulation (GDPR).

For the municipalities of Gladsaxe and Hørsholm Municipality fines of DKK 100.000 and DKK 50.000 have been proposed respectively.

The Data Protection Agency became aware of the cases when both municipalities notified the agency of personal data breaches relating to the theft of computers containing personal data.

Neither computers were protected by encryption, and the loss of personal data by the municipalities therefore posed an undue risk to its citizens.

In one of the cases, the lack of security resulted in a serious personal data breach, as a computer containing personal data of 20.620 citizens, including information of a sensitive nature and personal data, was stolen from Gladsaxe City Hall.

The second security breach took place when the computer of an employee from the municipality of Hørsholm was stolen from his car. On the computer, there was information on about 1.600 employees in the municipality of Hørsholm, including information of a sensitive nature and personal data.

The specific security breaches express some of the possible consequences of the insufficient level of security which poses a high risk to all citizens of whom the municipality processes data.

Municipalities have a great deal of responsibility
“A municipality processes very large amounts of personal data concerning the municipality’s citizens, including information of a sensitive nature. As a citizen, it is not possible to opt out of the municipality’s processing of information about oneself, and the municipality therefore has a high responsibility to avoid the information being disclosed, "said Frederik Viksøe Siegumfeldt, Head of Unit of the Supervisory Unit in the Danish Data Protection Agency. He explains:

“It is simple to access the files stored on the computer when a computer’s hard drive is not encrypted, for example by moving the hard drive to another computer. Therefore, when personal data are stored locally on the computer, it is very imprudent that the municipalities' computers were not encrypted.”

Proposal of fines
The Danish Data Protection Agency has decided to report the Municipality of Gladsaxe and the Municipality of Hørsholm to the police and proposes that the two municipalities be fined DKK 100.000 and DKK 50.000 respectively.

To read the press release in Danish, click here

For further information, please contact the Danish DPA: dt@datatilsynet.dk

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
10 March 2020

On 5 March 2020, the Icelandic Supervisory Authority (SA) took the decision to impose an administrative fine of ISK 3.000.000 (EUR 20.643) on the National Center of Addiction Medicine in a case relating to a personal data breach.

The National Center of Addiction Medicine is an NGO that operates a detoxification clinic and four inpatient and outpatient rehabilitation centers, as well as a center for family services and a social center in Iceland. Its services are delivered by a staff of medical doctors, psychologists, registered nurses, nurse practitioners and licensed counselors.

The breach occurred when a former employee of the National Center of Addiction Medicine received boxes containing what were supposed to be personal belongings that he had left there. However, it turned out that the boxes contained patient data as well, including health records of 252 former patients and records containing the names of approximately 3.000 people who had attended rehabilitation for alcohol and substance abuse.

After carrying out an investigation of the data breach, the SA concluded that the breach was a result of a lack of implementation of appropriate data protection policies and appropriate technical and organisational measures to protect the data by the controller. The lack of appropriate measures to protect the personal data therefore constituted violations of, inter alia, Art. 5(1)f and Art. 32 of the GDPR.

When determining the fine, the SA referred to the nature of the personal data involved in the breach, which were data concerning health, and the large scope of the processing. The SA also cited the nature of the National Center of Addiction Medicine as a non-profit health care provider and the fact that the Center had made considerable efforts to improve handling of personal data, beginning before the breach came to light.

The full decision in Icelandic is available here

For further information, please contact the Icelandic SA: postur@dpa.is

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
10 March 2020

On 5 March 2020, the Icelandic SA took the decision to impose an administrative fine of ISK 1.300.000 (EUR 8.945) on the Breiðholt Upper Secondary School in a case relating to a personal data breach.

The breach occurred when a teacher at the school sent an e-mail to his students and their parents/guardians, 57 people in total. Attached to the e-mail was a document that the teacher believed to contain information on consultation appointments. However, the attachment concerned a different group of students, 18 in total, and contained data on their well-being, study performance, and social conditions. To a considerable extent, the information concerned the students' problems. In one instance, the data had to do with an intervention by child protection services. Furthermore, there were data on one student's physical illness, and on another student's mental health problem.

After carrying out an investigation of the data breach, the SA concluded that the breach was a result of a lack of implementation of appropriate data protection policies and appropriate technical and organisational measures to protect the data by the controller. The lack of appropriate measures to protect the personal data therefore constituted violations of, inter alia, Art. 5(1)f and Art. 32 of the GDPR.

When determining the fine, the SA referred to the nature of the personal information involved in the breach, which were data concerning health and other personal issues. The SA also cited the nature of the Breiðholt Upper Secondary School as a nonprofit institution.

The full decision in Icelandic is available here

For further information, please contact the Icelandic SA: postur@dpa.is

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
05 March 2020

The President of the Personal Data Protection Office imposed a fine of PLN 20 000 in connection with the breach consisting in the processing of biometric data of children when using the school canteen.

The school processed special categories of data (biometric data) of 680 children without a legal basis, whereas in fact it could use other forms of students identification.

For that breach, an administrative fine was imposed on Primary School No. 2 in Gdansk. In addition, the President of the Personal Data Protection Office (UODO) has ordered the erasure of the personal data processed in the form of digital information on the specific fingerprints of the children and the cessation of any further collection of personal data.

Following an ex officio administrative proceedings, the President of the UODO has established that the school is using a biometric reader at the entrance to the school canteen that identifies the children in order to verify the payment of the meal fee.

The proceedings has shown that the school obtains the data and processes them on the basis of the written consent of the parents or legal guardians. The solution has been in place since 1 April 2015. In the school year 2019/2020, 680 pupils use a biometric reader and four pupils - an alternative identification system.

In this case, it is important to stress that the processing of biometric data is not essential for achieving the goal of identifying a child’s entitlement to receive lunch. The school may carry out the identification by other means that do not interfere so much in the child’s privacy. Moreover, the school makes it possible to use the services of the school canteen not only by means of fingerprints verification, but also electronic cards, or by giving the name and contract number. Thus, in the school, there are alternative forms of identification of the child’s entitlement to receive lunch.

In the fined Primary School No. 2, in accordance with the lunch rules, available on the website of the school’s canteen, students who do not have biometric identification have to wait at the end of the queue until all the students with biometric identification enter the canteen. Once all the students with biometric identification have entered the canteen, the students without biometric identification are allowed to enter, one by one. In the opinion of the President of the UODO, such rules introduce unequal treatment of students and their unjustified differentiation, as they clearly favour students with biometric identification. Moreover, in the authority’s view, the use of biometric data, considering the purpose for which they are processed, is significantly disproportionate.

The President of the UODO, in the grounds of his decision, emphasised that children require special protection of personal data. Moreover, in the present case, the processed data constitute the data of special categories. The biometric system identifies characteristics which are not subject to change, as in the case of dactyloscopic data. Due to the unique and permanent character of biometric data, which means that they cannot change over time, the biometric data should be used with due care. Biometric data are unique in the light of fundamental rights and freedoms and therefore require special protection. Their possible leakage may result in a high risk to the rights and freedoms of natural persons.

To read the press release in Polish, click here

The Polish text of the decision is available here

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
03 March 2020

The Dutch DPA imposed a fine of EUR 525,000 on tennis association KNLTB for selling the personal data of its Members. In 2018, KNLTB unlawfully provided personal data of a few thousand of its members to two sponsors.


Boete voor tennisbond vanwege verkoop van persoonsgegevens

De Autoriteit Persoonsgegevens (AP) legt tennisbond KNLTB een boete op van 525.000 euro voor het verkopen van persoonsgegevens. De KNLTB heeft in 2018 onrechtmatig tegen betaling persoonsgegevens van een paar honderdduizend van zijn leden verstrekt aan twee sponsoren.

De Koninklijke Nederlandse Lawn Tennisbond (KNLTB) verstrekte de sponsoren persoonsgegevens zoals naam, geslacht en adres, zodat zij een selectie van KNLTB-leden konden benaderen met tennisgerelateerde en andere aanbiedingen. De ene sponsor ontving persoonsgegevens van 50.000, de andere van meer dan 300.000 leden. Die sponsors benaderden een deel van die KNLTB-leden per post of telefoon.

Verkoop van persoonsgegevens

Voor elke verwerking van persoonsgegevens moet de organisatie die ze verwerkt zich kunnen beroepen op één van de zes grondslagen uit de AVG. Bijvoorbeeld dat degene om wie het gaat toestemming heeft gegeven voor die verwerking. Verkoop van persoonsgegevens zonder toestemming van de persoon achter de gegevens is doorgaans verboden. De KNLTB vond dat hij een gerechtvaardigd belang had bij verkoop van de gegevens. De AP is het daarmee niet eens en heeft geoordeeld dat KNLTB geen grondslag had om die persoonsgegevens door te geven aan de sponsoren.

Klacht KNLTB over AP
Tijdens het onderzoek naar de KNLTB diende de tennisbond een klacht in tegen de AP, die de AP gegrond verklaarde. Die klacht ging over het optreden van AP-voorzitter Aleid Wolfsen in Nieuwsuur, op 17 december 2018. Daarin gaf Wolfsen aan dat de AP ‘een sportbond’ onderzocht. De AP heeft in reactie op deze klacht erkend dat zij in die uitzending de indruk heeft gewekt dat de handelwijze van KNLTB niet correct was, terwijl het onderzoek daarnaar nog liep. De KNLTB zag in die uitlatingen de schijn van vooringenomenheid en dat betreurt de AP. Op aanbeveling van de Nationale Ombudsman laat de AP hierbij weten dat de uitlatingen van Wolfsen ten onrechte vooruitliepen op de uitkomsten van het onderzoek.

Bezwaar KNLTB
De KNLTB heeft bezwaar gemaakt tegen het boetebesluit. De AP zal dit gaan beoordelen.

To read the full decision, click here

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
01 February 2020

The Italian SA (Garante per la protezione dei dati personali) fined TIM SpA EUR 27,802,496 on account of several instances of unlawful processing for marketing purposes. The infringements concerned on the whole millions of individuals.

From January 2017 to the beginning of 2019, the SA received hundreds of complaints regarding, in particular, unsolicited marketing calls that had been performed without any consent or in spite of the called parties’ inclusion in the public opt-out register; in yet other cases, the called parties had clearly denied their consent to receiving marketing calls. Allegedly unfair processing practices were also mentioned in the complaints with regard to prize competitions and the relevant forms as submitted by TIM to users.
Complex investigations were carried out also with the support provided by a specialised unit of the Italian Financial Police and brought to light a number of severe infringements of personal data protection legislation.
TIM were proven to be insufficiently familiar with fundamental features of the processing activities they performed (accountability).
In many cases out of the millions of marketing calls that had been placed in a six-month period with ‘non-customers’, the SA could establish that the call centre operators relied upon by TIM had contacted the data subjects in the absence of whatever consent. In one case, a person was contacted 155 times in one month. In about two hundred thousand cases, ‘off-list’ numbers – that is, numbers not included in TIM’s list of marketing numbers – had been called. Other types of illicit conduct were also found such as TIM’s failure to supervise the activities of some call centres or to properly manage and update their blacklists (listing individuals who do not wish to receive marketing calls), and the fact that consent to marketing activities was mandatory in order to join the ‘Tim Party’ incentive discount scheme.
Inaccurate, unclear data processing information was provided in connection with certain apps targeted to customers and the arrangements for obtaining the required consent were inadequate. In a few cases paper forms were to be filled in where a single consent statement was available in respect of different purposes including marketing.
The data breach management system proved ineffective as well and no adequate implementation and management systems were in place regarding personal data processing, which fell short of privacy by design requirements. TIM’s blacklists were found not to match those of the contractor call centres, and this also applied to the recordings of the ‘verbal orders’ - that is, the contracts stipulated on the phone. The numbers relating to other phone operators’ customers, which TIM held in their capacity as network provider, were stored for longer than permitted by the law and had been used for marketing campaigns without the customers’ consent.
As well as the fine, the Italian SA imposed 20 corrective measures on TIM including both prohibitions and injunctions. In particular, the SA banned TIM from using, for marketing purposes, the data of the users that had denied their consent to marketing calls when contacted by call centres, of the users included in the black lists, and of the ‘non-customers’ that had not given their consent.
The company is not permitted to use any longer the customer data that were collected via the ‘MyTim’, ‘TimPersonal’ and ‘TimSmartKid’ apps for purposes other than the provision of the relevant services without the users’ free, specific consent.

The injunctions issued by the Italian SA include the obligation for TIM to check consistency of their blacklists and to timely acquire those put together by call centres so as to update their own blacklists. TIM will have to reconsider the ‘TimParty’ scheme and enable customers to access discount schemes and prize competitions without having to consent to marketing activities. TIM will also have to check the app activation procedures; always specify, in clear and understandable language, the processing activities they perform along with the purposes and the relevant processing mechanisms; and obtain valid consent. TIM will have to implement technical and organisational measures in respect of data subject rights requests and enhance the measures to ensure quality, accuracy and timely updates of the personal data that are processed in their individual systems.
The measures and implementing arrangements imposed will have to be in place and notified to the Italian SA according to a specific timeline, whilst the fine will have to be paid within thirty days.

For further information, please contact the Italian SA: ufficiostampa@gpdp.it

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
27 January 2020

The Commissioner for Personal Data Protection (Cypriot SA) fined LGS Handling Ltd, Louis Travel Ltd and Louis Aviation Ltd (Louis Group of Companies) for a total amount of EUR 82,000.00, concerning the lack of legal basis of “Bradford Factor” tool, which was used to score sick leaves of employees.

The Commissioner launched an investigation after a complaint was lodged by the employees’ trade union.

The reasoning behind Bradford's Factor automated system for scoring employees' sick leave was that short, frequent, and unplanned absences lead to a higher disorganising of the company rather than longer absences.

The date and the frequency of a sick leave relating to an individual, insofar as his or her identity is directly or indirectly disclosed, entail the processing of "special categories of personal data", as defined under Article 9(1) of the GDPR. Providing personal data to an automated system, scoring the data using 'Bradford Factor', and profiling individuals based on the results, is considered as processing of personal data; therefore such a processing operation needs to be in line with the principles defined in the GDPR.

The controller carried out an impact assessment of the processing operation, and it was submitted to the Commissioner for consultation during the investigation. The Commissioner was of the opinion that the controller failed to demonstrate through the impact assessment that its legitimate interest prevailed over the interests, rights and freedoms of its employees and consequently the mitigation of the risks was inadequate.

In the course of the investigation, we made use of the possibility to raise legal questions to the other EEA SAs via the so called Mutual assistance procedure and received input from 25 authorities. The replies received validated the absence of legal basis of the said processing and highlighted the necessity to regulate such issues with specific rules in line with article 88 of the GDPR.

After assessing all the elements gathered for the purpose of the investigation, the Commissioner decided that such processing operation had no legal basis. Primarily, it had not been established that the legitimate interest of the controller overrides the interests, rights and freedoms of its employees, which would enable the controller to rely on article 6(1)(f) of the GDPR. Likewise, none of the provisions of Article 9(2) of the GDPR would apply in this case, enabling the controller to process health data of employees.

The controller, as the employer, was entitled to supervise the frequency of sick leaves and the validity of sick leaves certificates. However, such a perquisite should not lead to mishandling and should be applied within the limits set by the relevant legislative framework.

Having established such unlawful conduct, the Commissioner ordered the controller to interrupt the processing and delete all data collected. Moreover, a fine of €70.000 was imposed to LGS Handling Ltd, a fine of €10.000 was imposed to Louis Travel Ltd and a fine of €2.000 was imposed to Louis Aviation Ltd, in relation to the infringements of articles 6(1) and 9 of the GDPR.

When deciding on the amount of the administrative fines, due regard was given to the number of data subjects (818 employees in total), the nature and duration of the infringements and the relevant turnover of the companies.

The full decision in Greek is available here

For further information, please contact the Cypriot SA: commissioner@dataprotection.gov.cy

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
17 January 2020

The Italian Supervisory Authority imposed two fines on Eni Gas and Luce (Egl), totalling EUR 11,5 million, concerning respectively illicit processing of personal data in the context of promotional activities and the activation of unsolicited contracts. The fines were determined in the light of the parameters set out in the EU Regulation, including the wide range of stakeholders involved, the pervasiveness of the conduct, the duration of the infringement, and the economic conditions of Egl.

The first fine of EUR 8,5 million relates to unlawful processing in connection with telemarketing and teleselling activities as found during inspections and inquiries that were carried out by the Authority following several dozens of alerts and complaints received in the immediate aftermath of the full application of the GDPR.  
The verifications revealed a limited number of cases, which however pointed to ‘systematic’ conduct  by Egl and highlighted serious criticalities with regard to the general processing of data.

The violations brought to light include advertising calls made without the consent of the contacted person or despite that person’s refusal to receive promotional calls, or without triggering the specific procedures for verifying the public opt-out register; the absence of technical and organisational measures to take account of the indications provided by users; longer than permitted data retention periods; and the acquisition of the data on prospective customers from entities (list providers) that had not obtained any consent for the disclosure of such data.

Having declared the conduct detected as unlawful, the Italian SA ordered Egl to put in place procedures and systems in order to verify, also by examining a large sample of customers, the consent of the persons included in the contact lists prior to the start of promotional campaigns. Egl will also have to ensure full automation of data flows from its database to the company’s own black list, i.e., the list of those who do not wish to receive advertising.  

The Italian SA further prohibited the company from using the data made available by the list providers  if the latter had not obtained specific consent for the communication of such data to Egl.

The second fine of EUR 3 million concerns breaches due to the conclusion of unsolicited contracts for the supply of electricity and gas under ‘free market’ conditions. Many individuals complained to the Authority that they learned about the conclusion of a new contract only on receiving the letter of termination of the contract with the previous supplier or else the first Egl bills. In some cases, the complaints reported incorrect  data in the contracts and forged signatures.

About 7200 consumers were affected by the above serious irregularities. The Authority’s findings showed that the conduct of Egl in acquiring new customers through certain external agencies operating on its behalf led, in organisational and managerial terms, to processing activities in breach of the EU Regulation  as they violated the principles of data fairness, accuracy and up-to-dateness.

Having established such unlawful conduct, the Italian SA ordered Egl to take several corrective measures and to introduce specific alerts in order to detect various procedural anomalies.  

Implementation of the above measures will have to take place and be communicated to the Authority within a set timeframe, while the fines will have to be paid within 30 days.

To read the press release in Italian, click here

For further information, please contact the Italian SA: garante@garanteprivacy.it

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
14 January 2020

The Ηellenic DPA in response to a complaint conducted an investigation regarding the lawfulness of personal data processing on a server of ‘ALLSEAS MARINE S.A.’, as well as the lawfulness of access to and inspection of deleted emails of a senior manager for whom there was suspicion that he had committed unlawful acts against the company’s interests.

The Authority found that the company as a controller had complied with the requirements of the GDPR and that its internal policies and regulations provided for a ban on the use of the company’s electronic communications and networks for private purposes, and for the possibility of carrying out internal inspections. The company therefore had a legal right under Articles 5(1) and 6(1)(f) of the GDPR to carry out an internal investigation searching and retreating employee’s emails.

The DPA, on the other hand, found that the closed-circuit video-surveillance system had been installed and operated illegally and, in addition, the recorded material submitted to the Authority was considered to be illegal.

Finally, the Authority found that the company did not satisfy the employee’s right of access to his personal data contained in his corporate PC.

Following the finding that the GDPR had been infringed, the Authority decided in this particular case to exercise its corrective powers under Article 58(2) of the GDPR by means of corrective measures, and decided to:

i) order the company to comply immediately with the complainant’s request to exercise his right to access and information concerning his personal data stored in the company’s computer that the complainant used, and inform the Authority thereof;
ii) ensure within one (1) month of receipt of the decision that the processing operations which take place by means of its video surveillance system comply with the provisions of the GDPR, and inform the Authority thereof, and, in particular:

(a) restore the application of the provisions of Article 5(1)(a) and (2) of the GDPR in accordance with the grounds of the judgement;
(b) also restore the application of the other provisions of subparagraphs (b) to (f) of Article 5(1) of the GDPR in so far as the infringement found affects the internal organisation and compliance with the provisions of the GDPR by taking all necessary measures under the principle of accountability;
iii) impose on the company an effective, proportionate and dissuasive administrative fine, as appropriate in the case of illegal installation and operation of a closed-circuit video-surveillance system, in accordance with the specific circumstances of this case, amounting to fifteen thousand euros (EUR 15,000.00).

Decision 43/2019 is available in Greek on www.dpa.gr  “Decisions”

For further information, please contact the Hellenic DPA: contact@dpa.gr

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.