Data Protection News: October 2019

Wave of 55 GDPR enforcement actions hits Romanian controllers

The Romanian Data Protection Authority (ANSPDCP) has recently published a list summarizing 55 cases where it took measures against data controllers for a vast array of issues concerning GDPR and ePrivacy compliance.

The list is available in English on the ANSPDCP website and shows that legal as well as natural persons were sanctioned and that 7 pecuniary fines were applied ranging between approx. 130,000 Eur – 1,000 Eur (the highest fines we applied in the banking sector). The most common sanction was the contraventional reprimand (32 out of 55 cases). As a side note, in the law governing the activity of ANSPDCP there is a difference between “contraventional” sanctions (reprimands and fines) and Decisions of the ANSPDCP President, all of which represent procedural means to exercise GDPR corrective powers (see here our previous legal alert on this topic). At the same time, the controllers were ordered to comply with the GDPR and ePrivacy provisions (e.g., to provide access to information, to stop certain processing operations).

The prevailing problem (14 cases out of 55) is the management of data subject requests (DSRs). Controllers who were sanctioned ignored the DSRs, prompting – at least at this stage – reprimands and orders to respond to the data subjects. Another hot topic brought up by the ANSPDCP announcement is the legal treatment of direct marketing using electronic mail. There is little information on the background of the cases, so it cannot be ascertained whether the soft opt-in exemption could have been relied on – however, the authority insists in every case on the requirement to demonstrate the existence of prior consent. This approach might further promote the idea that direct marketing can only be based on consent, which is not consistent with the provisions of Art. 13(2) of the ePrivacy Directive.

Nevertheless, the measures applied by the Romanian authority are subject to further appeal, which will help shed light on the opinion of the national courts in data protection and ePrivacy matters.

We’re also engaging with the privacy professionals community through our LinkedIn company page, so please follow us if you want live updates on relevant privacy issues in Romania.

Guidelines & reports

✎ The EDPB adopted the final version of Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects.
✎ The Spanish DPA published guidelines on privacy by design.
✎ CNIL publishes a DPIA whitelist.
✎ The Italian DPA approved the ‘Code of conduct for credit reporting systems operated by private entities regarding consumer credit, creditworthiness and punctuality in payments’.
✎ The Irish DPA issued a Guide to Data Protection Impact Assessments for any processing that is ‘likely to result in a high risk to individuals’, including some specified types of processing.
✎ The Irish DPA has updated its DSAR FAQ (Data Subject Access Requests).
✎ The Dutch DPA severely restricts situations when legitimate interest ca be relied on as a legal ground for personal data processing (read here a summary in English).
✎ The ICO launches a public consultation for organizations to determine if they are GDPR compliant.
✎ The Irish DPA issues Guidance for Organisations Engaging Cloud Service Providers.
✎ Latin American and Spanish DPAs Issue Joint Statement On Data Processing And Artificial Intelligence.
✎ See the CERT-RO infographic on what to look for when acquiring apps or software systems and the CERT-RO news on online scams.

Cases & decisions

⚖ ECtHR: In López Ribalda and Others v. Spain, the Court decides that hidden video monitoring of employees did not violate their human rights because it was justified by suspicions of theft.
⚖ The Austrian DPA considered that a controller could identify the data subject using his/her e-mail address and the information already stored by the controller (read here a summary in English).
⚖ C.J.U.E. C-673/17 – Planet49: The court decided that, when accessing a website, the consent which a user should give for the placement of cookies is not validly expressed through a previously pre-ticked checkbox.

Legislation watch

EU:
– ePrivacy proposal version published on 17 October 2019.
– The EU adopted the Whistleblower Directive, which is expected to be published in the Official Journal. Member States will have 2 years for transposition.
Romania:
– The law proposal on electronic signature has been approved by the Romanian Senate and has been sent to the Chamber of Deputies.
– The PSD2 transposition law has been published on the Official Monitor no. 913/13.11.2019 and will enter into force in December 2019.

GDPR enforcement actions

⚡ The Spanish DPA fined an airline company with 30,000 eur for non-compliant use of cookies and similar technologies on its website.
⚡ The Commissioner for Personal Data Protection of Cyprus fined a doctor for posting photos of a patient on social media (here is a summary in English).
⚡ The EDPS publishes preliminary results in the investigation of the use of Microsoft products by EU institutions.
⚡ The Polish supervisory authority imposed first administrative fine on a public entity for failing to conclude data processing agreements with its data processors.
⚡ The Austrian DPA imposed an administrative fine of 18 million euros on Österreichische Post AG after conducting administrative fine proceedings.
⚡ An app in Italy which intermediates data portability on behaf of data subjects is under the EDPB’s scrutiny.
⚡ Facebook and ICO reach an agreement regarding the use of personal data in political campaigns.
⚡ Illegal use of Google Analytics under scrutiny in Germany.

More EU data protection news

► The Irish DPA summarizes the data breach trends in the GDPR’s first year.
► Processing employee’s sickness data in Germany – an article by Dr. Carlo Piltz.
► Mastercard Establishes Principles for Data Responsibility
Facial recognition: A solution in search of a problem?
► Facebook updated it’s “Page Insights Controller Addendum” – the document indicating the arrangement between joint controllers.
► Authorities in Bucharest are reported to plan a survey of pet owners, which raises issues about data minimization (article in Romanian).
► French authorities ban facial recognition in schools.
► In Sweden, the Police, who have previously performed a DPIA on the matter, can apply face recognition technology for crime prevention, but must limit the storage of data.
► The Strategic Plan of the 41st International Conference of Data Protection and Privacy Commissioners has been published.
► NIS Directive: The EU Commission published the Report assessing the consistency of the approaches in the identification of operators of essential services.
► The Federation of German Consumer Organizations files complaints against use of online trackers on media websites.
► The Italian bank, UniCredit has announced that three million of its clients were affected by a data breach.