DATA PROTECTION AT EUROPEAN AND NATIONAL LEVEL
By Mugurel Olariu, RPD protectie date
The two bodies specialized in the field of personal data protection, at European level – EDPB and at national level – ANSPDCP, carried out in September and August a.c., current activities, among which we mention:
At European level, the EDPB held two online plenary meetings on 14 and 24 September, finalized with the following documents:
✔ September 14, 2021:
■ The Minutes for sittings 51, 52 and 53 and the draft agenda for sitting 54 were adopted respectively.
■ Discussions regarding the Guidelines on the interaction between art. 3 and Chapter V of the RGPD
■ Two mandate requests related to the Declaration on digital and data strategy and, respectively, Exchange of experts in mobile applications.
✔ September 24, 2021:
■ The draft agenda for meeting 55 was adopted
■ Opinion on the decision of South Korea to adapt under the GDPR
■ Request for a mandate for a Working Group on Cooperation on NYOB complaints on the issue of cookies and dark patterns
The National Authority for the Supervision of Personal Data Processing, in August this year, presented the activities carried out, as follows:
✔ 6 August 2021, published the Annual Activity Report for 2020, which:
■ contains a summary of the Authority’s activity, being structured in accordance with the main competencies, in the following chapters: Chapter I – Overview, Chapter II – Regulatory, endorsement, consultation and public information activity, Chapter III – Monitoring and control activity, Chapter IV – Activities in the field of international relations and Chapter V – Economic management of the Authority.
■ contains statistical benchmarks highlighted in each chapter, including graphs compared to previous years, such as: the number of investigations carried out in total or differentiated (ex officio or on the basis of complaints), the number of complaints and notifications received, the number of corrective measures applied (including fines), number of views issued, number of pending litigation, number of press releases, number of corporate / IMI rules.
■ also contains case files / cases related to the investigation activity, as well as the most relevant points of view issued, which reflect the complexity of the activity carried out, by reference to the attributions of this institution.
■ for a more detailed analysis, we specify that it is publicly available on the ANSPDCP website in the section “General information / Information of public interest / Annual reports”
✔ August 24, 2021:
■ finalized in August 2021 an investigation at the operator Actamedica SRL and found a violation of the provisions of art. 12 para. (3), art. 15 para. (1), art. 28 para. (1), art. 32 and art. 33 of the General Data Protection Regulation.
■ As such, the operator Actamedica SRL was sanctioned for minor offenses:
◆ with a fine in the amount of 9836.6 lei (equivalent to 2,000 EURO), for violating art. 28 para. (1) and art. 32 of the General Regulation on Data Protection;
◆ with a fine in the amount of 4918.3 lei (equivalent to 1,000 EURO) for violating art. 33 of the General Regulation on Data Protection;
◆ with warning, for violating the provisions of art. 12 para. (3) and art. 15 para. (1) of the General Data Protection Regulation.
✔ August 25, 2021:
■ finalized in July of this year an investigation at the A-Car Vaslui Roadside Assistance Association, an operator under the provisions of art. 2 para. (1) lit. a) of Law no. 190/2018.
■ The investigation was started as a result of a notification regarding the fact that the A-Car Vaslui Roadside Assistance Association processes personal data of minors (image), through the website www.a-carvaslui.ro.
■ The A-Car Vaslui Roadside Assistance Association did not carry out the measures provided in the remediation plan communicated by the National Supervisory Authority, thus violating the provisions of art. 58 para. (1) lit. a) and letter e) of Regulation (EU) 2016/679.
◆ As such, pursuant to art. 14 para. (1) of Law no. 190/2018, the operator was sanctioned with a fine in the amount of 10,000 lei, for the deed provided by art. 14 para. (5) lit. e) of Law no. 190/2018, reported in art. 58 para. (1) lit. a) and letter e) of Regulation (EU) 2016/679.
✔ August 27, 2021, posted a press release summarizing the document, prepared as the EDPB Study, “Overview of the resources made available to data protection authorities by Member States and on enforcement actions by data protection authorities of data”. We specify that it was the subject of our article from September a.c. – DATA PROTECTION RESOURCE STATISTICS.
