Data protection at the end of 2020
by Mugurel Olariu, RPD protectie date
Data protection authorities – both at European level/EDPB and at national level/ ANSPDCP, made efforts during the 2020 pandemic year to ensure compliance with personal data protection mechanisms.
At the level of the EDPB, at the last plenary meeting of 15 December 2020, several documents were adopted, including the 2021- 2023 Strategy. Thus, the Strategy sets out the Committee’s short- and medium-term objectives, grouped around four pillars, as well as three key actions on the pillar to help achieve these goals. The four main pillars of the EDPB strategy are:
• advancing harmonization and facilitating compliance;
• supporting effective enforcement and cooperation between national supervisory authorities;
• an approach to the fundamental rights of new technologies and,
• the global dimension.
The strategy will also be implemented through a work program, which will detail the actions of the EDPB. This work program will be adopted in early 2021.
We also specify the fact that, until 12 February 2021, the Guidelines no.10 / 2020 on restrictions under Article 23 GDPR are in the public consultation phase *1.
At national level, ANSPDCP published on the official website a series of information on the specialized activities carried out, respectively:
– an analysis of data protection approaches, specialized for owners’ associations;
– the working meeting with AmCham, to clarify the issues related to the effects of the CJEU Decision in the Schrems II case and the applicability of the US-EU Privacy Shield.
– corrective measures ordered for the investigated operators – from the private and public environment, respectively contravention fines, warnings, remediation plans, ensuring the conformity of the processing with GDPR, etc.
There is a very consistent fine *2 quite consistent – the equivalent of 100,000 Euros to an economic operator in the banking sector – and which found a violation of the provisions of art. 32 para. (1) and (2) corroborated with art. 5 lit. f) GDPR. The operator was sanctioned with a fine in the amount of 487,380 lei (equivalent to 100,000 EURO).
The investigation was launched following the receipt of complaints regarding the breach of confidentiality and security of personal data. It was found that the statement requested by the operator from a customer of his client regarding how he intended to use a certain amount of money that he wanted to withdraw from his account took place in the public space (online). This statement was distributed among several Bank employees on service e-mail addresses. One of the employees listed the e-mail containing the customer’s statement, as well as the e-mail containing the internal conversation between the operator’s employees. Another employee photographed the listed document with his mobile phone and distributed it through the WhatsApp application. Subsequently, the listed document was posted and distributed on the social network Facebook and on a website.
This situation led to the disclosure and unauthorized access to certain personal data (name and surname, e-mail addresses, behavioral data, personal preferences, financial transaction value, place of work, position and place of work, telephone number service) of 4 targeted individuals (one client and 3 own employees), although according to art. 5 lit. f) of the GDPR, the operator had the obligation to respect the principle of integrity and confidentiality of personal data.
In its investigation with the Bank, the Supervisory Authority found that the controller did not take sufficient measures to ensure that any natural person acting under the authority of the controller (employees of the controller) and having access to personal data only processes them at operator’s request.
The disclosure produced in the public space also proves the inefficiency of the internal training of the operator’s employees regarding the observance of the personal data protection norms of the data subjects, although the employee training is an intrinsic part of the technical and organizational measures that the operator was obliged to adopt security corresponding to the processing risk, thus violating the provisions of art. 32 of the GDPR.
In this context, it was also taken into account that the disclosure of personal data in the public space (on the Internet) generated a number of moral damages, as well as other significant economic or social disadvantages for the individual affected by the incident, security (client of the Bank).
1. See at https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-102020-restrictions-under-article-23_ro