The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine in the amount of SEK 300,000 applied by Swedish Data Protection Authority to a housing company for unlawful video surveillance in an apartment building.

The Swedish Data Protection Authority received a complaint concerning video surveillance in an apartment building belonging to the housing company Uppsalahem. The camera’s monitoring area clearly covered two apartment doors, one of which belongs to the complainant and the other belonging to a resident whom has been subject to disturbances and harassment.

The housing company states that the purpose of the video surveillance was to resolve disturbances having occurred in the stairwell over time. “Even if the company had a legitimate interest for video surveillance, it was outweighed by the residents’ right to privacy,” says Gustav Linder, legal advisor at the Swedish Data Protection Authority.

In its decision, the Swedish Data Protection Authority concludes that the video surveillance in question, monitoring individuals in their home environment is particularly privacy sensitive. For that reason, the Swedish Data Protection Authority imposes to the housing company a fine of SEK 300,000 and the cessation of video surveillance in question.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.

NEWSLETTER No. 6

(1 August – 30 October 2020)

1.      Information activities performed by NCPDP

Recently, the National Center for Personal Data Protection of the Republic of Moldova (NCPDP) has been receiving multiple requests regarding the authority’s opinion on the recording and live streaming via Internet of local council meetings. In this context, during the reference period, the NCPDP analysed the approached subject and noted that by publishing in internet the meetings of the local councils, it will be provided access to certain information that is discussed during the meetings, not only to the local stakeholders, but also to an unlimited number of people. The detailed opinion of the NCPDP can be accessed at the following link: https://datepersonale.md/aspecte-privind-inregistrarea-si-transmiterea-on-line-a-sedintelor-consiliilor-locale/

2.   Control activity

During the reference period, the NCPDP initiated the verification of the conformity of the personal data processing operations, thus initiating 82 investigations. Of the 82 investigations: 4 investigation procedures were initiated following the self-notification of the NCPDP in connection with an alleged non-compliant processing of personal data; in 28 finalized cases, the violation of the legal provisions was found, 31 minutes regarding the contravention were concluded, being subsequently submitted to the court for settlement.

3.      Surveillance activity

During the reference period, 183 notifications were submitted for examination at the “One-Stop Shop” of the NCPDP for the registration of personal data controllers and / or managed filing systems. Following the analysis of those notification forms, 89 authorization decisions and 94 refusal decisions were issued. Thus, about 68 data controllers and 89 personal data filing systems were registered in the Register of evidence of personal data controllers.

4.      International and European news

The 36th plenary session of the European Data Protection Board took place on 2 September. At this meeting, the Committee adopted the Guidelines on the concepts of controller and processor in GDPR and the Guidelines for social media users. In addition, the EDPB has set up a working group on complaints following the judgment of the ECJ Schrems II and a working group on additional measures that data exporters and importers may be required to take to ensure adequate data transfer protection in the light of the judgment of the ECJ Schrems II.

https://edpb.europa.eu/news/news/2020/european-data-protection-board-thirty-seventh-plenary-session-guidelines-controller_en

The 39th plenary meeting of the European Data Protection Board took place on 7 October. During the meeting, the EDPB adopted Guidelines on the concept of relevant and reasoned objection. The guidelines will contribute to a unified interpretation of the concept, which will help streamline future art. 65 of the GDPR procedures. The guidelines aim at establishing a common understanding of the notion of “relevant and reasoned”, including what should be taken into account when assessing whether an objection “clearly demonstrates the significance of the risks posed by the draft decision” (Article 4 (24) GDPR).

On 20 October, the EDPB met for the 40th plenary session. During the plenary, a wide range of topics were discussed.

Following the public consultation, the EDPB adopted a final version of the Guidelines on Data Protection by design and by default. The guidelines focus on the obligation of Data Protection by Design and by Default as set forth in Art. 25 GDPR. The core obligation enshrined in Art.25 is the effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default. This means that controllers have to implement appropriate technical and organisational measures and the necessary safeguards, designed to ascertain data protection principles in practice and to protect the rights and freedoms of data subjects. In addition, controllers should be able to demonstrate that the implemented measures are effective.

            Also, during this meeting, the EDPB decided to set up a Coordinated Enforcement Framework (CEF). The CEF provides a structure for coordinating recurring annual activities by EDPB Supervisory Authorities. The objective of the CEF is to facilitate joint actions in a flexible and coordinated manner, ranging from joint awareness raising and information gathering to enforcement sweeps and joint investigations. The purpose of recurring annual coordinated actions is to promote compliance, to empower data subjects to exercise their rights and to raise awareness. 

Another point discussed at the meeting was that EDPB adopted a letter in response to the Europäische Akademie für Informationsfreiheit und Datenschutz concerning the data protection implications of Art.17 of the Copyright Directive, in particular concerning upload filters. In the letter, the EDPB states that any processing of personal data for the purpose of upload filters must be proportionate and necessary and that, as far possible, no personal data should be processed when Art. 17 Copyright Directive is implemented. Where the processing of personal data is necessary, such as for the redress mechanism, such data should only concern data necessary for this specific purpose, while applying all the other principles of the GDPR. The EDPB further highlighted that it is in continuous exchange with the European Commission on this topic and that it has indicated its availability for further collaboration.

The 50th meeting of the Bureau of the Convention Committee 108 took place on 28-30 September, and met online. More than 50 data protection experts representing States Parties to Convention 108, as well as observers, logged on to the platform on a daily basis to discuss agenda items. Participants discussed priority issues of the Convention Committee, such as facial recognition, personal data processed in the context of education systems, profiling, digital identity, processing of personal data in the context of political campaigns, and the evaluation and monitoring of this mechanism under Convention 108.

The Council of Europe published the report “Digital solutions to fight COVID-19”, which analyzes the impact on privacy rights and data protection of measures taken to prevent the spread of the COVID-19 pandemic in the 55 African, American and European countries part to Convention 108.  It includes an in-depth and technical review of the use of digital contact tracking applications and monitoring tools.

5.      Other data protection authorities

–         a fine of 830,000 EUR against the National Credit Register (BKR) has been imposed by the Dutch Data Protection Authority for charging a fee to data subjects for requesting access to their data in a digital format. The BKR had created too many obstacles for people wishing to access their data. Under privacy legislation, this is not permitted.

–         a fine of 75,000 EUR on VODAFONE ESPAÑA has been imposed by the Spanish Data Protection Authority (AEPD) for processing the claimant’s telephone number for marketing purposes after they had exercised their right to erasure in 2015, in spite of what the data subject was sent advertising SMS. The AEPD considered that VODAFONE ESPAÑA violated Article 6(1) of the GDPR, by processing the claimant’s personal data without any lawful basis.

–         a fine of 100,000 PLN on the Surveyor General of Poland (GGK) has been imposed by the Polish Data Protection Authority for Infringement of the principle of lawfulness of personal data processing and making intentionally available without a legal basis on the GEOPORTAL2 (geoportal.gov.pl) of personal data in the form of land register numbers obtained from the land and property registers. Moreover, GGK must adapt the processing of personal data to the provisions of the GDPR by discontinuing making available on the GEOPORTAL2 portal (www.geoportal.gov.pl) of personal data.

–         a fine of 37, 400 EUR on Norwegian Public Roads Administration has been imposed by the Norwegian Data Protection Authority for processing personal data for purposes that were incompatible with the originally stated purposes, and for not erasing video recordings after 7 days. The Norwegian Public Roads Administration used fixed road cameras to monitor contract parties, employees, subvendors and the subvendors’ employees. This usage of the video recordings was compatible with the originally stated purpose.

–         a fine of 35, 3 Million Euro against the H&M’s Service Center in Nuremberg has been imposed by The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) for illegal monitoring of several hundred employees by its management. Supervisors acquired a broad knowledge of their employees’ private lives, religious beliefs, symptoms of illness and diagnoses that was permanently stored on a network drive for a meticulous evaluation of individual work performance and to obtain a detailed profile of employees for measures and decisions regarding their employment. This data collection was made known by the fact that the data became accessible company-wide for several hours in October 2019 due to a configuration error. HmbBfDI ordered the contents of the network drive to be “frozen” and then demanded it to be handed over.

–         a fine of 276,000 EUR against Bergen Municipality has been imposed by the Norwegian Data Protection Authority for improperly processing of personal information in the communication system between school and home. In October 2019, the Data Protection Authority was notified of a personal data breach by Bergen Municipality regarding the municipality’s new tool for communication between school and home, where school and parents can communicate via a portal or app. The municipality had not established the necessary guidelines to secure the personal information of children and parents with a confidential address before the tool was put to use. Thus, a contact list with information about “confidential address” was distributed to parents at a grade level. The fee was imposed because the municipality had not implemented technical and organizational measures to achieve an adequate level of security, and for not having ensured confidentiality and integrity.

On 20 May 2020, the Supreme Court of Justice irrevocably decided to maintain in force the decision of the National Center for Personal Data Protection (NCPDP) of 16 November 2018, which found the non-compliant processing of personal data in accordance with the requirements of the legislation in in the field of personal data protection by the Ministry of Internal Affairs, in the Automated Information System “Register of forensic and criminological information”, the latter being obliged to delete information containing personal data about data subject covered by this processing, which were collected / obtained from unrecognized authorities / institutions in the Transnistrian region.

During the examination of those invoked by data subject, NCPDP highlighted the vicious practice of receiving and storing by constitutional authorities of the Republic of Moldova the information received from the unconstitutional structures on the left bank of Nistru.

It should be emphasized that the automatic processing of personal data of citizens of the Republic of Moldova based on information received from unconstitutional structures, which in fact can not be considered authentic / truthful, and their use to the detriment of data subject represent a serious violation of human rights and freedoms.

In this regard the Decision of the Superior Council of Magistracy (SCM) no. 209/14 of April 10, 2012 “on the approach of Mr. Oleg Efrim, Minister of Justice, regarding the opinion on the address of Mr. Eugen Carpov, Deputy Prime Minister, on addressing legal issues”, by which the SCM found: ” that any act issued by the self-proclaimed authorities in this part of the Republic of Moldova contravenes the Constitution, the fact referring equally to any decisions, sentences pronounced by the courts established in the given region illegally. Thus, the Council considers as unacceptable any legal collaborations and proposals for legal solutions with the structures in the Transnistrian region. “

Consequently, in the jurisprudence concerning the Republic of Moldova, the European Court of Human Rights in numerous cases (Ilascu and others v. Moldova and Russia; Eriomenco v. the Republic of Moldova and the Russian Federation; Mozer v. the Republic of Moldova and the Russian Federation; Catan v. the Republic of Moldova and Russia) found illegal the acts adopted by unrecognized and unconstitutional entities on the left bank of Nistru.

We emphasize that according to the Declarations submitted together with the instrument of ratification of the Convention no. 108 for the protection of individuals with regard to automatic processing of personal data, the Republic of Moldova has not declared reservations on the provisions of the Convention, regarding its application on the territory of the Transnistrian region. Thus, the Republic of Moldova has the obligation to ensure the protection of fundamental rights and freedoms of its citizens with regard to the processing of personal data, especially the right to inviolability of private and family life, throughout its territory.

Aspects regarding the compliance of Metro Cash & Carry Moldova S.R.L. with legal provisions in the field of personal data protection.

On June 4, 2020, at 15:00, at the headquarters of the National Center for Personal Data Protection (NCPDP), a working meeting was organized with the participation of high management of Metro Cash & Carry Moldova S.R.L. and the National Authority for the Protection of Personal Data.

During the working meeting, some aspects regarding the compliance of Metro Cash & Carry Moldova S.R.L. with legal provisions in the field of personal data protection were discussed, including the notification of video surveillance system and other personal data filing systems.Finally, the National Authority for Personal Data Protection expressed its availability in providing the necessary support to Metro Cash & Carry Moldova S.R.L. in carrying out the tasks indicated above by providing the necessary consultations.

On June 4, 2020, at the invitation of the “Congress of Local Authorities of Moldova (CLAM)” high management, the representatives of the National Center for Personal Data Protection of the Republic of Moldova (NCPDP) had a speech at the webinar for secretaries of local councils, members of the Secretaries Network within CLAM on the topic: “Development of security policy and Regulation on personal data processing in the LPA”.

During the event, the representatives of NCPDP reiterated the need for the local public authorities to ensure an adequate regime of their security and confidentiality, as personal data controllers, explaining the requirements for developing and approving the Personal Data Protection Security Policy and the documentation related to it, namely the Regulations that establish the way of personal data processing within the information systems managed by the local public authorities to be notified to NCPDP, taking into account the provisions of Government Decision no. 1123 of December 14, 2010 on the approval of the Requirements for the assurance of personal data security at their processing within the information systems of personal data.

We specify that the exposed presentations are not only based on theoretical elements, but also recommendations / practical solutions in order to ensure the necessary conditions for personal data processing operations, performed by the representatives of local public authorities in order to comply with the principles of personal data protection.

The event was an interactive one, the participants demonstrating receptivity and interest in the field of personal data protection, asking several questions related to examining different types of requests for information containing personal data, publishing information in the Local Documents Registry through the provisions of the Law on personal data protection, video recording of local council meetings, etc.

Finally, NCPDP exposed itself on the availability of regular participation in such events in order to interact and consult the representatives of local public authorities in solving problems in the process of compliance with the legislation on personal data protection.

The webinar was attended by about 85 secretaries of local councils.

Since its launch, the new website has gathered over 13,000 unique visitors.

The National Center for Personal Data Protection (NCPDP) informs that, in order to implement action 3.6 of the EU Twinning Project Work Plan “Capacity Building of the National Center for Personal Data Protection”, on January 31, 2020, was launched the new website of the NCPDP, developed with the financial support of the EU. The new page of NCPDP – www.datepersonale.md, aims to promote a more interactive communication with its visitors.
Thus, since its launch until now – over 13 thousand unique visitors have accessed the information of the new website, which indicates an increased interest from visitors in the field of personal data protection.
Every month, the new website has up to 4,350 unique visitors. Even during the state of emergency, when less information about the activity of NCPDP was published on the website, the number of visitors was constant, respectively, in March and April, about 6300 visitors accessed the NCPDP page.
The most viewed articles are the Newsletters on the activity of NCPDP and the EU recommendations regarding the processing of personal data in the context of Covid-19 outbreak, published on the site.
Please note that some of the information can be viewed on the old web page, by accessing the link old.datepersonale.md.

Aspects regarding the compliance of the Customs Service of the Republic of Moldova with legal provisions in the field of personal data protection.

On May 19, 2020, at 10.30, at the headquarters of the National Center for Personal Data Protection (NCPDP), a working meeting was organized with the participation of high management of Customs Service of the Republic of Moldova and the National Authority for Personal Data Protection.

During the working meeting, some aspects regarding the compliance of the Customs Service of the Republic of Moldova with legal provisions in the field of personal data protection were discussed, including the notification of video surveillance system and other personal data filing systems managed by the entity concerned, in particular the Integrated Customs Information System.

Finally, the National Authority for Personal Data Protection expressed its availability in providing the necessary support to the Customs Service of the Republic of Moldova in carrying out the tasks indicated above by providing the necessary consultations.

1. Information and training activities performed by NCPDP

Between November 2019 and January 2020, the NCPDP and the EU Twinning Project experts organized 20 training courses in the field of personal data protection for a total of 680 participants from different public and private entities.
In this context, we list below some of the training activities organized by the representatives of NCPDP and EU Twinning Project experts:
• Ministry of Finance– 30 civil servants;
• Parliament of the Republic of Moldova – 40 participants;
• Comrat Court of Appeal – 23 employees;
• Ministry of Health, Labor and Social Protection – 60 participants;
• College “Alexei Mateevici”, Chișinău – 110 students;
• General Directorate for Education, Youth and Sports, Chișinău – 84 participants;
• Chișinău Court – 30 participants;
• Ministry of Justice – 23 employees;
• Republican Center for Children and Youth ARTICO – educational hour for children of 7-14 years, – 40 children;
• Free International University of Moldova – 53 students, third year, Law Faculty;
• Awareness campaign for parents and children “Protect your child in the online environment”, action carried out in collaboration with General Police Inspectorate of Ministry of Internal Affairs, “Moldcell” – mobile network operator and Public Association “Solidary Parents”– 66 parents;
• Informational event for students on the occasion of European Data Protection Day – “Right of access to information and the right to privacy” with the participation of students from Law Faculty of Free International University of Moldova, last year and from the Faculty of Journalism of Moldova State University including the participation of representatives of civil society – “Promo-Lex”, “Center for Legal Resources”, “Centre for Investigative Journalism”, etc. – 14 participants;
• Training course for employees of “Moldcell” – mobile network operator – 45 participants;
• Awareness event for children – “Personal Data Protection expressed by drawing” – 24 children from ARTICO.
During these training actions, the representatives of the NCPDP specified the general rules on personal data protection, the principles of personal data processing, as well as a series of recommendations:
• the need to ensure an adequate level of security and confidentiality of personal data;
• the need to protect children in the online environment and to limit their access to social networks (Facebook, Twitter, Instagram etc.);
• the need to develop and implement appropriate measures in order to establish the mechanism for keeping records of personal data processing operations;
• the need to comply with data minimization principle, respectively minimization of categories and volume of personal data processed to those strictly necessary to fulfill the purpose (s) for which they were collected.

2. Activity of Control of NCPDP

During the reference period, the NCPDP carried out a number of 109 investigations on data controllers, both in the private and public sectors, in order to verify the lawfulness of personal data processing performed. Out of the 109 investigations – 8 investigation procedures were initiated as a result of NCPDP self-notification in connection with an alleged processing of personal data not in accordance with the rules in the field of personal data protection. Out of 109 investigations, 7 cases were finalized, the violation of the legal provisions was found and contravention in the form of fines was applied by the courts – in the total amount of 13 thousand MDL. The other cases are still under investigation.
At the same time, during the same reference period, NCPDP received a number of 231 complaints that led to investigations in order to resolve them. In general, the complaints concerned the following issues:
• achievement of the rights of data subjects – 45 complaints;
• processing of personal data through video surveillance devices – 39 complaints;
• processing of personal data in the absence of the data subject’s consent – 32 complaints;
• processing of personal data through disclosure on social networks – 24 complaints;
• processing of personal data in police activity – 23 complaints;
• processing of personal data by publishing the court decisions without depersonalization –17 complaints;
• processing of personal data in the financial sector – 16 complaints;
• etc.
In addition, at the “One-Stop Shop” of the NCPDP, 443 notifications were submitted for examination in order to register personal data controllers and / or personal data filing systems. Following the analysis of those notifications, 282 authorization decisions and 161 refusal decisions were issued. Thus, about 241 data controllers and 282 personal data filing systems were registered in the Register of evidence of personal data controllers, which indicates an increased interest of data controllers to comply with the requirements of the Law no.133 of 8 July, 2011 on personal data protection, compared to the previous period.

3. European and international news

On November 12th and 13th 2019, the fifteenth plenary session of the European Data Protection Board took place in Brussels. The meeting addressed the following topics:
• Report on the Third Annual Joint Review of the EU-US Privacy Shield
• Guidelines on the Territorial Scope of the GDPR (version following public consultation)
• Guidelines on Data Protection by Design and by Default
• Article 64 Opinion on ExxonMobil BCRs
• Response letter to LIBE on EU Information Systems
• Contribution to the consultation on a draft second additional protocol to the Budapest Convention on Cybercrime
More details are available at: https://edpb.europa.eu/news/news/2019/fifteenth-plenary-session-privacy-shield-review-guidelines-territorial-scope_ro
On December 2nd and 3rd 2019, the sixteenth plenary session of the European Data Protection Board is took place in Brussels.
During its December Plenary Session, the EDPB addressed the following issues:
• Art. 64 GDPR Opinion on accreditation requirements for the Code of Conduct monitoring body by UK SA. The EDPB adopted its opinion on the draft decision of the UK Supervisory Authority on Accreditation Requirements for Code of Conduct Monitoring Bodies. The opinion aims to ensure the consistency and correct application of these requirements within the EEA supervisory authorities.
• Response to the request for recommendations from BEREC on the revision of the guidelines on internet neutrality rules.
The EDPB has adopted the response to the request for guidance from the Body of European Regulators for Electronic Communications (BEREC) on the current EU data protection framework.
• Guidelines on “The criteria of the Right to be Forgotten in the search engines cases under the GDPR”
The Committee adopted draft guidelines on “Criteria for the right to be forgotten in search engines case under the GDPR”. The guidelines provide an interpretation of Article 17 of the GDPR on the grounds and exceptions for removal requests from search engine providers and are an update of the 2014 guidelines on the implementation of the Costeja decision issued by the Article 29 Working Party. ” (WP29).
On December 11th and 13th 2019, the 49th meeting of the Bureau of the Consultative Committee of Convention 108 for the Protection of Individuals with regard to Automated Data Processing took place. The following topics were discussed during the meeting:
• Ratification of the Protocol (CETS No. 223) amending Convention 108 by Bulgaria;
• The Ad Hoc Committee on Artificial Intelligence (CAHAI), which has started to work on the feasibility study of an international legal framework on artificial intelligence (AI), dealing with the mapping of the latest trends in AI data.
• Recent signatures (amending CETS Protocol No. 223 of Convention 108+) by Switzerland, Serbia and Northern Macedonia. So far the total number of signatories is 38;
On January 28th and 29th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their seventeenth plenary session. During the plenary, a wide range of topics was discussed.

The EDPB adopted its opinions on the Accreditation Requirements for Codes of Conduct Monitoring Bodies submitted to the Board by the Belgian, Spanish and French supervisory authorities (SAs). These opinions aim to ensure consistency and the correct application of the criteria among EEA SAs.
The EDPB adopted draft Guidelines on Connected Vehicles. As vehicles become increasingly more connected, the amount of data generated about drivers and passengers by these connected vehicles is growing rapidly. The EDPB guidelines focus on the processing of personal data in relation to the non-professional use of connected vehicles by data subjects. More specifically, the guidelines deal with the personal data processed by the vehicle and the data communicated by the vehicle as a connected device. The guidelines will be submitted for public consultation.
The Board adopted the final version of the Guidelines on the processing of Personal Data through Video Devices following public consultation. The guidelines aim to clarify how the GDPR applies to the processing of personal data when using video devices and to ensure the consistent application of the GDPR in this regard. The guidelines cover both traditional video devices and smart video devices. The guidelines address, among others, the lawfulness of processing, including the processing of special categories of data, the applicability of the household exemption and the disclosure of footage to third parties. Following public consultation, several amendments were made.
The EDPB adopted its opinions on the draft accreditation requirements for Certification Bodies submitted to the Board by the UK and Luxembourg SAs. These are the first opinions on accreditation requirements for Certification Bodies adopted by the Board. They aim to establish a consistent and harmonised approach regarding the requirements which SAs and national accreditation bodies will apply when accrediting certification bodies.
The EDPB adopted its opinion on the draft decision regarding the Fujikura Automotive Europe Group’s Controller Binding Corporate Rules (BCRs), submitted to the Board by the Spanish Supervisory Authority.
Letter on unfair algorithms
The EDPB adopted a letter in response to MEP Sophie in’t Veld’s request concerning the use of unfair algorithms. The letter provides an analysis of the challenges posed by the use of algorithms, an overview of the relevant GDPR provisions and existing guidelines addressing these issues, and describes the work already undertaken by SAs.
Letter to the Council of Europe on the Cybercrime Convention
Following the Board’s contribution to the consultation process on the negotiation of a second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention), several EDPB Members actively participated in the Council of Europe Cybercrime Committee’s (T-CY) Octopus Conference. The Board adopted a follow-up letter to the conference, stressing the need to integrate strong data protection safeguards into the future Additional Protocol to the Convention and to ensure its consistency with Convention 108, as well as with the EU Treaties and Charter of Fundamental Rights. More information is available at: https://edpb.europa.eu/news/news/2020/seventeenth-edpb-plenary-session_en

4. Other data protection authorities

During this period, several data protection authorities in the European Union carried out investigations which led to the imposition of administrative fines to data controllers from various sectors of activity. Of these, the following should be highlighted:
• The National Authority for Supervision of Personal Data Processing in Romania applied a fine of 80,000 EUR, finding that the controller violated both the provisions of art. 25 para. (1) and art. 5 par. 1 let. f) of the GDPR. The controller did not ensure compliance with the principle of data protection by design and by default (privacy by design and privacy by default), as it did not proceed to adopt appropriate technical and organizational measures to integrate adequate safeguards in the automated system for data processing within the settlement process of card transactions, being affected a number of 225,525 customers whose payment operations were doubled in the period 8-1 October 2018, also related to the provisions of art. 32 para. (1) let. d) of the GDPR.
• The Norwegian Data Protection Authority issued an administrative fine of 49,300 EUR for storing patient data from nursing homes and health centers outside the electronic medical record system, from 2007 till November 2018.
• The Italian Supervisory Authority imposed two fines totaling 11.5 million EUR, regarding the illicit processing of personal data in the context of activities for the promotion and activation of unsolicited contracts. The fines were determined according to the parameters set out in the EU Regulation, including the wide range of stakeholders involved, the degree of conduct, the duration of the infringement and the economic conditions of the controllers. More information is available at: https://edpb.europa.eu/news/national-news_en

A month after the first Joint Statement on the right to data protection in the context of the COVID-19 pandemic, countries and peoples around the world continue investing all efforts in preventing the spread of the virus. Thus, on 28.04.2020 was issued the second Joint Statement on Digital Contact Tracing developed by Chair of the Committee of Convention 108 and Data Protection Commissioner at the Council of Europe, the content of the document can be viewed by accessing the following link.