CEPD

WORKING TOOLS ADOPTED BY EDPB AND ADMINISTRATIVE MEASURES AT THE EU MEMBER STATES LEVEL

by Mugurel Olariu, RPD protectie date

Working tools adopted by the EDPB

At its online plenary session on 02.092020, the EDPB adopted two working tools for public consultation(1). The tools cover:
✔ Guidelines 07/2020 on the concepts of controller and processor in the GDPR(2).
Guidelines 7/2020 aim at clarifying the key concepts in the application of personal data protection rules, related to the provisions of art. 4 of the GDPR and considering their role in establishing the corresponding obligations, respectively the notions of controller, joint controllers and the processor. The new guidelines consist of two main parts: one that explains the different concepts; the other, including detailed guidance on the main consequences of these concepts for common controllers, processors and joint controllers. The guidelines include a diagram to provide additional practical guidance.

✔Guidelines 8/2020 on targeting social media users(3).
Guidelines 8/2020 present concrete situations in order to be of real benefit to companies in their activity. The main purpose of the guidelines is to clarify the roles and responsibilities of the social media provider and the data subject. To this end, the guidelines identify, inter alia, the potential risks to individual freedoms, the main actors and their roles, the application of key data protection requirements, such as legality, transparency, DPIA and key elements of arrangements between social media providers and data subjects. In addition, the guidelines focus on the different targeting mechanisms, the processing of special categories of data and the obligation for common operators to establish an appropriate agreement in accordance with Article 26 of the GDPR.

The public consultation shall take place by 19 October 2020 at the latest, and any interested person shall be able to submit any proposals or comments it deems necessary. Please note that they can be published by the EDPB, according to the Specific Privacy Statement form.

Administrative measures at EU Member State level
The summer months – July and August came with fairly consistent administrative measures applied by the National Supervisory Authorities of the EU Member States, as shown by the national news section of the EDPB(4).
From these, we made a selection of the most important measures, in order to bring to the attention of the operators the qualification and the importance of the technical and organizational measures that must be adopted, for preventive purposes:

– July 16 – The Belgian National Supervisory Authority (NSA) fined Google Belgium € 600,000 for non-compliance with the right to be forgotten by a Belgian citizen and for lack of transparency in its deregistration application form.

A Belgian citizen has requested the removal of links containing negative information about him. The request was denied by Google. The Belgian NSA Chamber of Disputes found that some of these links were necessary for the public interest and should not be removed: the citizen does play a role in public life, and the links concerned an alleged relationship with a political party. The other links contained outdated, unfounded information that could seriously affect the citizen’s reputation. The Belgian NSA considers that these links should therefore have been removed from Google. For the Belgian NSA, it is important to note that the facts of the case were clear, leaving Google no reasonable room to decide otherwise. Moreover, Google did not have transparency in the form of deletions, as well as in the response to the person concerned. For these reasons, the Belgian NSA decided to impose a fine of EUR 600,000. This is the largest fine ever imposed by the Belgian NSA.

RPD protectie date

July 27 – Italian NSA fined some telephone operators EUR 17 million – Wind Tre SpA and EUR 0.8 million – Iliad
As part of the implementation of the Italian NSA on telephone operators, Wind Tre SpA was fined around EUR 17 million on 9 July due to several cases of illegal data processing which were mainly related to marketing. The Italian NSA has already issued a prohibitive measure against the company, due to similar infringements that took place when the previous data protection law was in force. The fine was applied following complex investigations and inspections. Complaints were received from users against unsolicited marketing communications made without their consent via text messages, e-mails, faxes and automated phone calls. In several cases, the complainants stated that they were not allowed to exercise their right to withdraw consent or object to the processing of their data for marketing purposes, in part because of inaccurate contact information provided in the notifications. In other cases, users’ personal data were included in public telephone lists, despite objections (sometimes reiterated) made by those users. The survey showed that MyWind and My3 applications were configured to require the user to consent, at each access, to processing for various purposes, including marketing, profiling, data communication to third parties, data enrichment and geolocation; withdrawal of such consent was allowed after 24 hours.
At its meeting on 9 July, the Italian NSA also assessed the findings of investigations into another telephone operator, the Iliad; in this case, the shortcomings were detected in various respects, in particular as regards employees’ access to traffic data. Consequently, the company was fined EUR 800,000.

July 29 – Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information imposes a fine of EUR 1,240,000, AOK Baden-Wuerttemberg
From 2015 to 2019, AOK Baden-Wuerttemberg hosted raffles on various occasions. In this context, AOK collected the personal data of the participants, including contact details and health insurance affiliation. Among other things, AOK wanted to use this data for advertising purposes, provided that the participants had consented accordingly. Through technical and organizational measures, which included internal guidelines and data protection training, among others, AOK wanted to ensure that only the data of raffle participants who had given their prior and valid consent would be used for advertising purposes. However, these measures established by AOK did not comply with the legal requirements. The personal data of more than 500 participants in the raffle were therefore used for advertising purposes without their consent.
Due to breach of secure data processing obligations (Article 32 of the European General Data Protection Regulation, GDPR), the Department of Fines of the Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information (LfDI) issued a fine of 1,240. 000 € against AOK Baden-Wuerttemberg. At the same time, the Department of Fines, in constructive collaboration with AOK, has also paved the way for improved technical and organizational measures for the protection of personal data at AOK Baden-Wuerttemberg.

data

August 6 – Dutch NSA fined the National Credit Register (BKR) EUR 830,000 for personal data access fees
The National Credit Register (BKR) in the Netherlands can no longer charge fees to people who want to access their personal data. In addition, if data subjects wish to receive a copy of their data by post, the procedure must be simple and they must be able to request a new copy after a reasonable period of time has elapsed. BKR has created too many barriers for people who want to access their data. Under confidentiality law, this is not allowed. As a result, the Dutch Data Protection Authority (Dutch NSA) issued BKR with a fine of EUR 830,000.

August 18 – Spanish NSA fined XFERA MOVILES EUR 70,000 for disclosing a customer’s personal data to a third party.
The applicant was informed by another customer of Masmovil that, due to a mistake by a company, they had been charged with the applicant’s invoice and thus had access to their personal data (name, identity card number and personal telephone number). NSA considered that this was a breach of the principle of confidentiality, as set out in Article 5 (1) (f) of the GDPR.

—————————————————————————-
1. See https://edpb.europa.eu/news/news_en.
2. See https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-072020-concepts-controller-and-processor_en.
3. See https://edpb.europa.eu/our-worktools/public-consultations-art-704/2020/guidelines-082020-targeting-social
4. See https://edpb.europa.eu/news/national-news_en.