Evolutions in the mechanisms of data protection – october 2020

By Mugurel Olariu, RPD protectie date

The data protection authorities adopted, in October, new working tools and took measures to implement the provisions of the GDPR, both at European level – EDPB and at national level – ANSPDCP.

European Data Protection Board – EDPB:
The EDPB held two online / remote plenary sessions on 8 and 20 October, adopting new tools for data protection mechanisms, as follows:

In the meeting of October 8, the EDPB adopted Guide no. 9/2020 on the concept of relevant and substantiated objection from the perspective of the General Data Protection Regulation (GDPR)
This Guide aimed at clarifying the notion of relevant and motivated objection, defined in art. 4 point 24 of the General Data Protection Regulation, in order to ensure an adequate application in the cooperation mechanism between the national data protection authorities, established by art. 60 of this Regulation. Please note that the guide is in the public consultation phase, until 24.11.2020, being open for feedback.

In the meeting of October 20, the EDPB adopted Guide no. 4/2019 on Art. 25 of the General Data Protection Regulation – Data Protection by Design and by Default (privacy by design and by default).
In the context of accentuated technological evolutions, the principle of ensuring data protection from the moment of conception and implicitly, enshrined by art. 25 of the GDPR, is a significant aspect in ensuring compliance with data protection in contemporary society. The adopted guide is intended to support operators and persons empowered by the operator, in order to ensure a uniform and effective application of the requirements of this principle, taking into account the purpose, nature, context and risks of processing, in relation to the need for effective and other compliance principles of personal data processing. This tool contains numerous practical examples and a section of recommendations, including on the role of the data protection officer in the operators / proxies. Version 2.0 of the Guide is developed and adopted, after the public consultation phase launched on 13.11.2019.

National Authority for the Supervision of Personal Data Processing – ANSPDCP:
The national authority published a series of statistical data on the control activity, from January / September 2020, from which we select for preventive purposes, the most important aspects for operators, as follows:
➣ Investigations were opened as a result of receiving:
3952 complaints,
176 notifications and
128 notifications regarding security incidents.

Evolutions in the mechanisms of data protection – october 2020
By Mugurel Olariu, RPD protectie date

➣ The data operators were charged with violating the provisions of the GDPR:
art.5, Principles relating to processing of personal data;
art.6, Lawfulness of processing;
art.7, Conditions for consent;
art.9, Processing of special categories of personal data;
art.12, Transparent information, communication and modalities for the exercise of the rights of the data subject;
art.14, Information to be provided where personal data have not been obtained from the data subject;
art.15, Right of access by the data subject;
art.25, Data protection by design and by default and
art.32, Security of processing.
Also, the violation of the provisions of art. 13The sanctioning regime of Law no. 506/2004.

➣ They were applied:
22 fines in the total amount of 68,900 euros and 10,000 lei, respectively, a fine applied under Law no. 506/2004. They have also been applied
46 warnings and were issued
42 corrective measures, aiming at:
◆ observance of the requests of the data subjects through which they exercised their rights under the GDPR;
◆ ensuring the conformity of the processing operations with the provisions of the GDPR;
◆ reviewing and updating the implemented technical and organizational measures, including the working procedures regarding the protection of personal data, as well as the implementation of measures regarding the regular training of persons acting under the authority of the operator, regarding its obligations under the provisions of GDPR, including regarding the risks involved in the processing of personal data, depending on the specifics of the activity;
◆ performing a risk assessment for the rights and freedoms of persons, including the classification of a degree of risk, taking into account the nature, scope, context and purposes of the processing;
◆ reviewing and updating the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including the working procedures related to the protection of personal data.

Evolutions in the mechanisms of data protection – october 2020
By Mugurel Olariu, RPD protectie date