NEWSLETTER No. 6
(1 August – 30 October 2020)
1. Information activities performed by NCPDP
Recently, the National Center for Personal Data Protection of the Republic of Moldova (NCPDP) has been receiving multiple requests regarding the authority’s opinion on the recording and live streaming via Internet of local council meetings. In this context, during the reference period, the NCPDP analysed the approached subject and noted that by publishing in internet the meetings of the local councils, it will be provided access to certain information that is discussed during the meetings, not only to the local stakeholders, but also to an unlimited number of people. The detailed opinion of the NCPDP can be accessed at the following link: https://datepersonale.md/aspecte-privind-inregistrarea-si-transmiterea-on-line-a-sedintelor-consiliilor-locale/
2. Control activity
During the reference period, the NCPDP initiated the verification of the conformity of the personal data processing operations, thus initiating 82 investigations. Of the 82 investigations: 4 investigation procedures were initiated following the self-notification of the NCPDP in connection with an alleged non-compliant processing of personal data; in 28 finalized cases, the violation of the legal provisions was found, 31 minutes regarding the contravention were concluded, being subsequently submitted to the court for settlement.
3. Surveillance activity
During the reference period, 183 notifications were submitted for examination at the “One-Stop Shop” of the NCPDP for the registration of personal data controllers and / or managed filing systems. Following the analysis of those notification forms, 89 authorization decisions and 94 refusal decisions were issued. Thus, about 68 data controllers and 89 personal data filing systems were registered in the Register of evidence of personal data controllers.
4. International and European news
The 36th plenary session of the European Data Protection Board took place on 2 September. At this meeting, the Committee adopted the Guidelines on the concepts of controller and processor in GDPR and the Guidelines for social media users. In addition, the EDPB has set up a working group on complaints following the judgment of the ECJ Schrems II and a working group on additional measures that data exporters and importers may be required to take to ensure adequate data transfer protection in the light of the judgment of the ECJ Schrems II.
The 39th plenary meeting of the European Data Protection Board took place on 7 October. During the meeting, the EDPB adopted Guidelines on the concept of relevant and reasoned objection. The guidelines will contribute to a unified interpretation of the concept, which will help streamline future art. 65 of the GDPR procedures. The guidelines aim at establishing a common understanding of the notion of “relevant and reasoned”, including what should be taken into account when assessing whether an objection “clearly demonstrates the significance of the risks posed by the draft decision” (Article 4 (24) GDPR).
On 20 October, the EDPB met for the 40th plenary session. During the plenary, a wide range of topics were discussed.
Following the public consultation, the EDPB adopted a final version of the Guidelines on Data Protection by design and by default. The guidelines focus on the obligation of Data Protection by Design and by Default as set forth in Art. 25 GDPR. The core obligation enshrined in Art.25 is the effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default. This means that controllers have to implement appropriate technical and organisational measures and the necessary safeguards, designed to ascertain data protection principles in practice and to protect the rights and freedoms of data subjects. In addition, controllers should be able to demonstrate that the implemented measures are effective.
Also, during this meeting, the EDPB decided to set up a Coordinated Enforcement Framework (CEF). The CEF provides a structure for coordinating recurring annual activities by EDPB Supervisory Authorities. The objective of the CEF is to facilitate joint actions in a flexible and coordinated manner, ranging from joint awareness raising and information gathering to enforcement sweeps and joint investigations. The purpose of recurring annual coordinated actions is to promote compliance, to empower data subjects to exercise their rights and to raise awareness.
Another point discussed at the meeting was that EDPB adopted a letter in response to the Europäische Akademie für Informationsfreiheit und Datenschutz concerning the data protection implications of Art.17 of the Copyright Directive, in particular concerning upload filters. In the letter, the EDPB states that any processing of personal data for the purpose of upload filters must be proportionate and necessary and that, as far possible, no personal data should be processed when Art. 17 Copyright Directive is implemented. Where the processing of personal data is necessary, such as for the redress mechanism, such data should only concern data necessary for this specific purpose, while applying all the other principles of the GDPR. The EDPB further highlighted that it is in continuous exchange with the European Commission on this topic and that it has indicated its availability for further collaboration.
The 50th meeting of the Bureau of the Convention Committee 108 took place on 28-30 September, and met online. More than 50 data protection experts representing States Parties to Convention 108, as well as observers, logged on to the platform on a daily basis to discuss agenda items. Participants discussed priority issues of the Convention Committee, such as facial recognition, personal data processed in the context of education systems, profiling, digital identity, processing of personal data in the context of political campaigns, and the evaluation and monitoring of this mechanism under Convention 108.
The Council of Europe published the report “Digital solutions to fight COVID-19”, which analyzes the impact on privacy rights and data protection of measures taken to prevent the spread of the COVID-19 pandemic in the 55 African, American and European countries part to Convention 108. It includes an in-depth and technical review of the use of digital contact tracking applications and monitoring tools.
5. Other data protection authorities
– a fine of 830,000 EUR against the National Credit Register (BKR) has been imposed by the Dutch Data Protection Authority for charging a fee to data subjects for requesting access to their data in a digital format. The BKR had created too many obstacles for people wishing to access their data. Under privacy legislation, this is not permitted.
– a fine of 75,000 EUR on VODAFONE ESPAÑA has been imposed by the Spanish Data Protection Authority (AEPD) for processing the claimant’s telephone number for marketing purposes after they had exercised their right to erasure in 2015, in spite of what the data subject was sent advertising SMS. The AEPD considered that VODAFONE ESPAÑA violated Article 6(1) of the GDPR, by processing the claimant’s personal data without any lawful basis.
– a fine of 100,000 PLN on the Surveyor General of Poland (GGK) has been imposed by the Polish Data Protection Authority for Infringement of the principle of lawfulness of personal data processing and making intentionally available without a legal basis on the GEOPORTAL2 (geoportal.gov.pl) of personal data in the form of land register numbers obtained from the land and property registers. Moreover, GGK must adapt the processing of personal data to the provisions of the GDPR by discontinuing making available on the GEOPORTAL2 portal (www.geoportal.gov.pl) of personal data.
– a fine of 37, 400 EUR on Norwegian Public Roads Administration has been imposed by the Norwegian Data Protection Authority for processing personal data for purposes that were incompatible with the originally stated purposes, and for not erasing video recordings after 7 days. The Norwegian Public Roads Administration used fixed road cameras to monitor contract parties, employees, subvendors and the subvendors’ employees. This usage of the video recordings was compatible with the originally stated purpose.
– a fine of 35, 3 Million Euro against the H&M’s Service Center in Nuremberg has been imposed by The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) for illegal monitoring of several hundred employees by its management. Supervisors acquired a broad knowledge of their employees’ private lives, religious beliefs, symptoms of illness and diagnoses that was permanently stored on a network drive for a meticulous evaluation of individual work performance and to obtain a detailed profile of employees for measures and decisions regarding their employment. This data collection was made known by the fact that the data became accessible company-wide for several hours in October 2019 due to a configuration error. HmbBfDI ordered the contents of the network drive to be “frozen” and then demanded it to be handed over.
– a fine of 276,000 EUR against Bergen Municipality has been imposed by the Norwegian Data Protection Authority for improperly processing of personal information in the communication system between school and home. In October 2019, the Data Protection Authority was notified of a personal data breach by Bergen Municipality regarding the municipality’s new tool for communication between school and home, where school and parents can communicate via a portal or app. The municipality had not established the necessary guidelines to secure the personal information of children and parents with a confidential address before the tool was put to use. Thus, a contact list with information about “confidential address” was distributed to parents at a grade level. The fee was imposed because the municipality had not implemented technical and organizational measures to achieve an adequate level of security, and for not having ensured confidentiality and integrity.