The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine in the amount of 8 million euros applied by the French Data Protection Authority (CNIL) to APPLE DISTRIBUTION INTERNATIONAL for the illegally processing of personal data.

The CNIL carried out several investigations in 2021 and 2022, following a complaint concerning the ad personalization in the App Store, in order to verify compliance with the applicable regulations. The CNIL services found that under the old version 14.6 of the operating system of the iPhone, when a user visited the App Store, identifiers used for several purposes, including personalization of ads on the App Store, were by default automatically read on the terminal without obtaining consent of the subject concerned.

Following the investigations, CNIL found a breach of Article 82 of the French Data Protection Act and imposed a fine of 8 million euros on APPLE DISTRIBUTION INTERNATIONAL. The amount of this fine was established based on the analysis of the following criteria: by the scope of the processing limited to the Apple Store, the number of people concerned in France, the profits the company made from advertising revenues indirectly generated from data collected by these identifiers as well as the fact that, in the meantime, the company has reached compliance/adjusted such processing of personal data.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about administrative fine in the amount of 230 000 euros applied by the Finnish Data Protection Authority (SA) to Viking Line for unlawful processing of employees’ health data.

The Finnish SA investigated Viking Line activities on the basis of a complaint. A former employee of Viking Line informed the Finnish SA that they had not received all their personal data being stored in the company’s systems despite their request. According to the employee, Viking Line had been keeping their health data in an HR system for 20 years. Furthermore, some diagnosis information stored was inaccurate.

Following the investigations, it was found that saving diagnosis information in connection with other employment-related data is against the law. In addition, health data should also have been erased immediately when its storage was no longer necessary. At the same time, Viking Line had not informed its employees appropriately of the processing of their personal data.

In this context, an administrative fine of 230 000 euros was imposed on Viking Line for several violations of data protection legislation. At the same time, the Finnish SA ordered the company to correct its practices and inform its employees of the processing of their personal data as required by the GDPR.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the fine in the amount of 5 million euros applied by the French Data Protection Authority (CNIL) to social network TIKTOK for the illegally processing of personal data.

Between May 2020 and June 2022, the CNIL carried out several online investigations on the “tiktok.com” website in an unlogged session, and not on the mobile application. Following the investigations, it was found that although the companies TIKTOK UK and TIKTOK IRELAND did offer a button allowing immediate acceptance of cookies, they did not put in place an equivalent solution to allow the Internet user to refuse their deposit as easily.

On the basis of the findings, the CNIL concluded that TIKTOK INFORMATION TECHNOLOGIES UK LIMITED (TIKTOK UK) and TIKTOK TECHNOLOGY LIMITED (TIKTOK IRELAND) had failed to comply with the obligations set out in Article 82 of the French Data Protection Act, this process infringed the freedom of consent of Internet users and users were not informed in a sufficiently precise manner of the purposes of the cookies, either on the first-level information banner or in the context of the choice interface accessible after clicking on a link in the banner.

In this context, the CNIL applied a fine of 5 million euros to the social network TIKTOK. The amount of this fine was decided on the basis of the breaches identified, the number of people concerned – including minors – and the numerous previous communications from the CNIL on the fact that it must be as simple to refuse cookies as to accept them.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about total fine in the amount of 390 million euros applied by the Irish Data Protection Authority (SA) to social networks Facebook and Instagram for the violation of the legal provisions stipulated by GDPR.

Following the EDPB’s binding dispute resolution decisions of 5 December 2022, the Irish SA, has adopted its decisions regarding Facebook and Instagram (Meta Platforms Ireland Limited, ‘Meta IE’). These decisions are the result of complaint-based inquiries into Facebook’s and Instagram’s activities in particular concerning the lawfulness and transparency of processing for behavioural advertising. Meta IE was fined with 210 million euros in the Facebook decision and 180 million euros in the Instagram decision by the Irish SA.

These binding decisions were adopted on the basis of Art. 65(1)(a) GDPR, after the Irish SA had triggered two dispute resolution procedures concerning the objections raised by concerned supervisory authorities from ten countries in each case. Among others, the supervisory authorities issued objections concerning the legal basis for processing (Art. 6 GDPR), data protection principles (Art. 5 GDPR), and the use of corrective measures including fines.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

The National Centre for Personal Data Protection, for information purposes, communicates that on December, 22 this year, the President of the Republic of Moldova, Maia SANDU, signed the Decree approving the signing of the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 223).

The Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data provides a multilateral, robust and flexible legal framework to facilitate cross-border data flows and effective safeguards on the use of personal data. This instrument was opened for signature by the Council of Europe (CoE) on October 10, 2018 and up to now, has been signed by 44 states, 5 of which are not members of the CoE (Argentina, Tunisia, Mauritius, Uruguay and the Russian Federation) and ratified by 20 states.

The Protocol is a multilateral treaty drawn up under the auspices of the CoE which, according to Article 36, is open for signature by States Parties to Convention 108.

The purpose of this Convention is to protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy.

The Protocol itself provides for a number of innovations, such as:

–    Stricter proportionality requirements, data minimisation principles and lawfulness of processing;

–   Expansion of the types of sensitive data, which will now include genetic and biometric data, trade union membership and ethnic origin;

–   Obligation to notify data breaches;

–   Greater transparency of data processing;

–   New rights of individuals in a decision-making context, which are particularly relevant in relation to the development of artificial intelligence;

–   Increased accountability of data controllers;

–   Requirement to apply the principle of ‘privacy by design’

–   Application of data protection principles to all processing activities;

–   The regime for cross-border flows of personal data;

–   Strengthened powers and independence of data protection authorities and improved legal basis for international cooperation.

The Decree on the signing of the Protocol entered into force on 23 December this year and was published in the Official Gazette of the Republic of Moldova No. 428-430 Article 790.

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the fine in the amount of 4,3 million euros applied by the Portuguese Supervisory Authority (CBPD) to Portuguese National Statistics Institute (INE) for the infringement of article 9(1); article 12; article 13; article 28(1), (6) and (7); article 35(1), (2) and (3)(b); article 44 GDPR; article 46 and article 83 of GDPR.

In 2021, the CNPD received several complaints about the national census survey that was still undergoing at that moment. For the performance of the census, INE used the CDN (a content delivery network) services of a US company, Cloudflare, Inc., with over 200 data centres spread over 100 countries. In light of the complaints received, the CNPD opened an inquiry. At that point, circa 2.5 million forms, containing the personal data of over six million citizens residing in Portugal, had already been submitted to the INE. In view of its preliminary findings, the CNPD issued, under Article 58(2)(j) GDPR, an order for INE to suspend, in 12 hours, all data flows to the US and to any other third countries that did not offer an adequate level of protection, either via Cloudflare, Inc. or via any other company. After this corrective measure of cautionary nature, the inquiry went on about other aspects of the subject matter of the complaints.

As a result of the subsequent investigation, the CNPD identified five infringements of the GDPR in the context of the Census 2021 data processing, regarding the following issues: 

· Lack of lawfulness for the processing of special categories of personal data (article 9(1) GDPR).

· Lack of compliance with transparency obligations (articles 12 and 13 GDPR), in particular regarding the provision of any information concerning the processing operations, e.g. through the display of a privacy notice on the INE institutional website.

· Lack of a Data Protection Impact Assessment (article 35(1),(2) and (3)(b) GDPR).

· Lack of due diligence concerning the choice of the processor (article 28(1),(6) and (7)), namely by accepting a standard contract, that was not assessed in substance in what regards the requirements of  article 28(3) GDPR.

· Lack of compliance with the legal requirements for international data transfers (articles 44 and 46(2)), as interpreted by the CJEU in the Schrems II judgement.

In this context, as a result of the facts and the legal reasoning, the CNPD determined that the controller infringed different GDPR provisions in the context of the 2021 Census data processing and therefore decided, pursuant to article 58(2)(i) and article 83 GDPR and some national provisions, to apply one single fine of 4.3 million euros to the controller. This decision is final, but can be challenged in the national courts.

            The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

On December 20, 2022, the representatives of the National Center for Personal Data Protection (NCPDP) organized a training course for representatives of LPAs from Taraclia district. About 20 participants attended the event.

The aim of the training course was to inform, raise awareness and familiarize LPAs representatives with the latest aspects of personal data protection.

Thus, the following topics were discussed during the course: general notions of personal data; legal grounds for personal data processing; processing of special categories of personal data; depersonalization of data in the State Local Documents Registry; filming and transmission of district council meetings.

According to the action plan on trainings in the District Councils for 2022, the NCPDP has managed to train all LPAs in the Republic’s districts, thus covering a total of 938 participants.

On 13-14 December, the representatives of the National Centre for Personal Data Protection (NCPDP) attended the 72nd plenary meeting of the European Data Protection Board in Brussels, Belgium. Several topics were discussed during the plenary session, including: the outcome of the 71st plenary session; the preliminary agenda of the 73rd session; election of the Coordinator of the Coordinated Supervision Committee; decisions on the basis of legal acts approved by the European Committee, etc.

The 57th meeting of the T-PD Bureau also took place on 15-16 December in Strasbourg, France. During the meeting were discussed the report of the 56th meeting of the T-PD Bureau held on 21-23 September this year; the Committee’s work programme for 2022-2025; Convention 108+ state of play; Digital identity; Cooperation with other Council of Europe bodies and entities; Major developments and activities in the field of data protection.

Furthermore, the participants were informed about the next meetings planned for 2023.

“Requirements, principles and new trends in the field of personal data protection” were discussed today, December 9, during the training course organized for representatives of LPAs from Criuleni and Dubasari districts. The event was held at the headquarters of the Criuleni District Council and gathered 30 participants.

The aim of the training course was to familiarize, inform and raising – awareness for the representatives of LPAs with the latest and most current legal provisions in the field of personal data protection.

The training course covered the following topics: general notions of personal data; legal grounds for personal data processing; processing of special categories of personal data; depersonalization of personal data in the State Local Documents Registry; filming and transmission of district council meetings.

At the end of the course, the trainers from the NCPDP provided answers to all the questions given by the participants who showed interest in the course.