DATA PROTECTION IN MARCH 2021
By Mugurel Olariu, RPD protectie date
The data protection bodies at European level – EDPB and at national level – ANSPDCP have made efforts to continue to regulate the field and, respectively, to supervise the activity of the operators.
Thus, the EDPB held two remote plenary meetings on 09 and 30/31 March.
✔ In the meeting of 09.03.2021, the following documents were mainly adopted·1:
■ Guide no. 9/2020 on relevant and reasoned objection (final form after public consultation)
■ Guide no. 1/2020 on connected vehicles (final form after public consultation)
■ Guide no. 2/2021 on virtual voice assistance (form for public consultation until 23.04.2021)
■ Common opinion with EDPS no. 3/2021 on the proposal for a Regulation of the European Parliament and of the Council on data governance
■ Declaration on the draft ePrivacy Regulation.
✔ In the meeting of 30 / 31.03.2021, it was adopted by the European authorities, the EDPB together with the European Data Protection Supervisor – EDPS, Joint Opinion on the Digital Green Certificate Proposals.
The leaders of the two European authorities adopted a Press Release statement, posted on the EDPB website on 06.04.2021·2, which mainly shows the following:
“The Digital Green Certificate aims to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic by establishing a common framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, testing and recovery certificates.
With this Joint Opinion, the EDPB and the EDPS invite the co-legislators to ensure that the Digital Green Certificate is fully in line with EU personal data protection legislation. The data protection commissioners from all EU and European Economic Area countries highlight the need to mitigate the risks to fundamental rights of EU citizens and residents that may result from issuing the Digital Green Certificate, including its possible unintended secondary uses. The EDPB and the EDPS underline that the use of the Digital Green Certificate may not, in any way, result in direct or indirect discrimination of individuals, and must be fully in line with the fundamental principles of necessity, proportionality and effectiveness. Given the nature of the measures put forward by the Proposal, the EDPB and the EDPS consider that the introduction of the Digital Green Certificate should be accompanied by a comprehensive legal framework.
Andrea Jelinek, Chair of the EDPB, said: «A Digital Green Certificate that is accepted in all Member States can be a major step forward in re-starting travel across the EU. Any measure adopted at national or EU level that involves processing of personal data must respect the general principles of effectiveness, necessity and proportionality. Therefore, the EDPB and the EDPS recommend that any further use of the Digital Green Certificate by the Member States must have an appropriate legal basis in the Member States and all the necessary safeguards must be in place.»
Wojciech Wiewiórowski, EDPS, said: It must be made clear that the Proposal does not allow for – and must not lead to – the creation of any sort of central database of personal data at EU level. In addition, it must be ensured that personal data is not processed any longer than what is strictly necessary and that access to and use of this data is not permitted once the pandemic has ended. I have always stressed that measures taken in the fight against COVID-19 are temporary and it is our duty to ensure that they are not here to stay after the crisis.”
At national level – ANSPDCP presented on its website·3, under the heading News, sanctions and corrective measures applied, in the case of four operators. For the preventive side of the application of GDPR by industry operators, the following are the most important circumstances of the cases presented by the authority, as follows:
➤ On 04.03.2021, a natural person, as an operator, was sanctioned with a fine of a total amount of 2,437.35 lei (the equivalent in lei of 500 EURO). The investigation was launched following the receipt of a complaint alleging that on a social network, on the personal page of a natural person who held the position of Secretary General within a sector branch of a political party, a list of 10 positions with signatories / supporters for the election of the General Council and the Mayor of Bucharest, in which their personal data are accessible, disclosing name and surname, signature, citizenship, date of birth, address, series and document number identity, the political choice of the signatories / supporters.
➤ On 18.03.2021, the operator BNP Paribas Personal Finance SA Paris Bucharest Branch was sanctioned with a fine of 10,000lei. The investigation was initiated following a complaint sent by the data subject regarding the fact that on his telephone number he received a commercial SMS message from BNP Paribas Personal Finance S.A. Paris Bucharest Branch. Following the investigation, it was found that the operator did not prove the existence of the prior consent of the person concerned, according to art. 12 of Law no. 506/2004, amended and supplemented, although the petitioner had previously exercised, repeatedly, the right to oppose the processing of her data for marketing purposes.
➤ On 23.03.2021, the operator S.C. Medicover S.R.L. was sanctioned with a fine of 9,749.6 lei (equivalent to 2000 EURO). The investigation was initiated as a result of the transmission by the operator of successive notifications of personal data security breach, which reported unauthorized disclosure and unauthorized access to personal data such as: name and surname, CNP, series and no. CI, CI address, correspondence address, contact telephone number and e-mail, respectively name and data on health status, sent to individuals other than the recipients, to the e-mail address or postal address. Following the investigation, the supervisory authority found that the controller did not implement adequate technical and organizational measures to ensure that any natural person acting under the authority of the controller and having access to personal data only processes them at the request of the controller, which led to unauthorized disclosure and unauthorized access to personal data transmitted to individuals other than the recipients, to the e-mail address or postal address.
➤ On 30.03.2021, the operator TELEKOM ROMANIA MOBILE COMMUNICATIONS S.A. was sanctioned for minor offenses:
■ with a fine in the amount of 48,748.00 lei (the equivalent of 10,000 EURO), for violating art. 32 para. (1) and para. (2) of the General Data Protection Regulation;
■ with a fine in the amount of 15,000 lei, for committing the contravention provided by art. 13 para. (1) lit. a) of Law no. 506/2004
The investigation found that the operator did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, which led to unauthorized disclosure and / or unauthorized access to personal data, such as: customer ID, code customer, name and surname, CNP, date of birth, sex, telephone number, e-mail, address (country, city, street), the amount of debts associated with the customer code of a number of 99,210 persons / customers. Thus, their billing addresses were erroneously entered in the database with individual customers, sent to a contractual partner under a debt assignment contract, which led to the sending to the wrong addresses of notifications sent to customers. It was also found that the controller did not take adequate technical and organizational measures to ensure the security of the processing of personal data, likely to protect personal data stored or transmitted against illicit storage, processing, access or disclosure, which led to unauthorized access to personal data from My Account accounts (account holder name; date of birth; phone numbers used; home address; email address; subscriber code; contracted services; extra options active on account; simple invoice history) of a number of 413 targeted persons / Telekom Romania customers. We emphasize that the operator had the obligation to guarantee that personal data can be accessed only by authorized persons, for the purposes mentioned by law, thus violating the provisions of art. 3 para. (1) and para. (3) lit. a) and b) of Law no.506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, amended and supplemented.
1. More information can be found at: https://edpb.europa.eu/news/news_en