NEWSLETTER No. 7
(1 November 2020 – 31 January 2021)
1. Information activities performed by NCPDP
On 26, 27, 28 of January 2021, the National Center for Personal Data Protection (NCPDP) in collaboration with TAIEX project experts organized the online workshop – “Processing and protection of personal data in the field of public health in the context of possible global challenges” (pandemic COVID – 19). The aim of the workshop was to strengthen and enhance the skills of public health representatives on possible challenges that may arise globally (in the context of the pandemic COVID – 19), while respecting the fundamental rights and freedoms of individuals on personal data protection. This includes: when the processing is necessary for reasons of public interest in the area of public health, in adopting good practices based on relevant case law; setting a balance between the processing, storage, and disclosure of health data and the right to privacy; promoting clarity and specialized analysis, oriented towards the provisions of the law on personal data protection in the specific field of application. Concerning health, aim was familiarization of medical representatives with the new challenges related to the processing of personal data. The workshop was conducted by personal data protection experts from Croatia, Slovakia and representatives of the NCPDP and was organized for three regions of the country: central, northern and southern. The event was attended by about 200 persons.
2. Control activity
During the reference period, the NCPDP initiated the verification of the conformity of the personal data processing operations, thus initiating 48 investigations. Of the 48 investigations: 8 investigation procedures were initiated following the self-notification of the NCPDP in connection with an alleged non-compliant processing of personal data; in 20 finalized cases, the violation of the legal provisions was found, 25 minutes regarding the contravention were concluded, being subsequently submitted to the court for settlement.
3. Surveillance activity
During the reference period, 292 notifications were submitted for examination at the “One-Stop Shop” of the NCPDP for the registration of personal data controllers and / or managed filing systems. Following the analysis of those notification forms, 164 authorization decisions and 128 refusal decisions were issued. Thus, about 141 data controllers and 164 personal data filing systems were registered in the Register of evidence of personal data controllers.
4. Findings of the National Center for Personal Data Protection
I. NCPDP was notified by a data subject (person with a position of public dignity), who complained about the alleged illegal actions of a civic activist, manifested regarding the publication on his personal profile on the social network “Facebook”, in the absence of consent, of the video recordings containing the usual category of personal data – name, surname, position held and the public institution in which the data subject operates, as well as home address.
During the examination of the case, it was found that the profile of the person who published the video recordings on the social network “Facebook” is accessible to any user of the network in question, within which images with the home address of the data subject are disseminated in unrestricted public access – street and house number, without his consent. However, it does not fall into the category of public information, contrary to other personal data – name, surname, position held and the public institution in which the data subject operates, which could be considered public information once the data subject is a civil servant / person with a position of public dignity / public person.
In general, it should be noted that when we are dealing with the subject of persons exercising certain public functions, the degree of interference with the inviolability of private life is much higher, compared to persons who do not have such a status. Moreover, this degree of interference extends to the hypothesis of public circumstances / public facts and in the case of the existence of subjects that may be of public interest. However, it should be considered that the state has a positive obligation to legislate legal mechanisms to protect the inviolability of private life even in the case of public officials, who are involved in public circumstances / facts and / or targeted in matters of public order. However, it is categorically inadmissible that this category of data subjects lacks legal guarantees and mechanisms to ensure the protection of their constitutional right – the inviolability of private life.
In the context of the examined case, it was found that the civic activist – controller within the meaning of art. 3 of the Law on personal data protection, was supposed to ensure the confidentiality of personal data, especially the home address, in view of the obligation provided in art. 29 of the Law on personal data protection.
Therefore, the Center found that the publication / disclosure on the profile on the social network “Facebook” of personal data of the data subject, in particular, the home address, in the absence of his consent is contrary to the provisions of art. 4 para. (1) l. a), art. 5 para. (1) and art. 29 para. (1) of the Law on personal data protection, being drawn up a report on the contravention pursuant to art. 741 para. (4) Contravention Code.
II. NCPDP received a complaint from a data subject, regarding the alleged illegal processing of personal data by a law enforcement body (MIA) manifested by accessing and extracting its personal data stored in the RSP, as well as its family members (printing personal file).
In this context, according to the explanation of the law enforcement body representative, the personal data of the data subject stored in the RSP were accessed and extracted (printed personal file) to identify him, in order to be heard in a criminal case as witness.
In this context, it was pointed out that the personal file of the RSP contains information on the place and date of birth, name, surname, patronymic, nationality, families, place of residence at the moment and in the past, studies, issue confirmed by the law enforcement body representative which stated that the personal file of the data subject extracted from the RSP contains that information.
Therefore, as a result of the case examination, NCPDP found the pertinent character in the part related to the access (visualization) of personal data of the data subject, at the same time, being retained the excessive character of personal data processing of the data subject, manifested by the extraction and storage to the materials of a criminal file of personal file of the data subject containing an imposing volume of his personal data as well as of his families, who do not have a procedural quality.
In this case, NCPDP follow to intervene as ascertaining agent, pursuant to art. 741 para. (4) Contravention Code.
5. International and European news
v On 10 November 2020, during its 41st plenary session, the EDPB adopted by a 2/3 majority of its members its first dispute resolution decision on the basis of Art. 65 GDPR. The binding decision seeks to address the dispute arisen following a draft decision issued by the Irish SA as lead supervisory authority (LSA) regarding Twitter International Company.
On 11 November, the EDPB adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, as well as recommendations on the European Essential Guarantees for surveillance measures. Both documents were adopted as a follow-up to the CJEU’s “Schrems II” ruling. The recommendations aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries.
On 19 November, during the 42nd plenary session, the European Commission presented two new sets of draft standard contractual clauses (SCC): a set of SCCs for contracts between controllers and processors, elaborated in accordance with art. 28 (7) of GDPR and art. 29 (7) of Regulation 2018/1725 and another for data transfers outside the EU, in accordance with art. 46 (2) (c) of GDPR. The EDPB adopted a statement on the future ePrivacy Regulation and the future role of supervisory authorities and the EDPB in this context.
On 15 December, the EDPB met for its 43rd plenary session. During the plenary, a wide range of topics was discussed:
– The EDPB adopted its Strategy 2021-2023, which sets out the Board’s strategic objectives, grouped around four pillars, as well as three key actions per pillar to help achieve these objectives. The four main pillars of the EDPB Strategy are:
· advancing harmonisation and facilitating compliance;
· supporting effective enforcement and efficient cooperation between national supervisory authorities;
· a fundamental rights approach to new technologies and;
· the global dimension.
– The EDPB issued a statement on the end of the Brexit transition period in which it describes the main implications of the end of this period for data controllers and processors.
– The EDPB submitted for public consultations Guidelines on restrictions of data subject rights under Article 23 GDPR, aiming to recall the conditions surrounding the use of such restrictions in light of the Charter of Fundamental Rights and the GDPR.
– Following public consultation, the EDPB adopted a final version of the Guidelines on the interplay of the Second Payment Services Directive (PSD2) and the GDPR. The guidelines aim to provide further guidance on the data protection aspects in the context of the PSD2, in particular on the relationship between relevant provisions in the GDPR and the PSD2.
– Also following public consultation, the EDPB adopted a final version of the Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies. These articles address transfers of personal data from EEA public authorities or bodies to public bodies in third countries, where these transfers are not covered by an adequacy decision.
– The EDPB also adopted a statement on the protection of personal data processed in relation with the prevention of the use of the financial system for the purposes of money laundering and terrorist financing.
– The EDPB adopted an Art. 64 opinion on the draft decision regarding Equinix’s Controller Binding Corporate Rules (BCRs), submitted to the Board by the Dutch SA.
On 15 January 2021, The EDPB and EDPS have adopted joint opinions on two sets of contractual clauses (SCCs). One opinion on the SCCs for contracts between controllers and processors and one on the SCCs for the transfer of personal data to third countries.
On 18 January, The EDPB adopted guidelines on examples regarding data breach notification. These guidelines complement the WP 29 guidance on data breach notification by introducing more practice orientated guidance and recommendations. They aim to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment. The document is submitted to public consultations until 02.03.2021.
On January 28, on the occasion of the 15th annual Data Protection Day, the Members of the EDPB presented a joint congratulatory message.
v On 16 to 18 December 2020, took place the 51st meeting of the Bureau of the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Data. The meeting was a summary and analysis of some issues that failed to be closed during 2020, namely:
· The Bureau took note of the information provided by the Secretariat on:
a) the current 33 signatures and 10 ratifications (the latest one since the Plenary meeting being Finland, on 10 December 2020) of Convention 108+ two years after the opening for signature of the amending Protocol. Five Parties (Bulgaria, Cyprus, Estonia, Lithuania and Norway) have made use of Article 37.3 of the amending protocol and declared the provisional application of Convention 108+ pending its entry into force;
b) the objective to have at least 38 ratifications by 10 October 2023 to enable a partial entry into force of Convention 108+ according to Article 37.2 of the amending Protocol;
c) the Committee of Ministers’ bi-annually review of the status of signatures and ratification of the amending Protocol in line with the decision adopted at the May 2018 Ministerial session, etc.
6. Other data protection authorities
· Fine in the amount of EUR 12,250,000 applied by Italian data protection supervisory authority (Garante per la protezione dei dati personali) to the mobile network operator, Vodafone, for having unlawfully processed the personal data of millions of users for telemarketing purposes. This decision marks the final step in a complex proceeding that Italian data protection supervisory authority had initiated following hundreds of complaints and alerts submitted by users against unsolicited phone calls made by Vodafone and/or the company’s sales network in order to promote telephone and Internet services.
· Administrative fine in the amount of SEK 300,000 applied by Swedish Data Protection Authority to a housing company for unlawful video surveillance in an apartment building. The Swedish Data Protection Authority received a complaint concerning video surveillance in an apartment building belonging to the housing company Uppsalahem. The camera’s monitoring area clearly covered two apartment doors, one of which belongs to the complainant and the other belonging to a resident whom has been subject to disturbances and harassment. In its decision, the Swedish Data Protection Authority concludes that the video surveillance in question, monitoring individuals in their home environment is particularly privacy sensitive.
· The Norwegian Data Protection Authority has decided on an administrative fee of NOK 750,000 to Østfold HF Hospital for storing report extracts from patient records outside the safe zone in the period 2013-2019. The folders where the extracts were stored were not access controlled, and the activity in the folders was not logged. The report extracts have also been stored long after the lists were no longer needed.
· The Estonian Data Protection Inspectorate issued a penalty of 100,000 euros to three pharmacy chains that allowed viewing in the e-pharmacy environment the current prescriptions of another person without their consent on the basis of access to their personal identification code.
· Administrative fine in the amount of EUR 450,000 applied by Data Protection Commission to Twitter International Company for the infringement of Article 33(1) and 33(5) of GDPR. The Data Protection Commission (DPC) investigation commenced in January, 2019 following receipt of a breach notification from Twitter and the DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach.
· Administrative fine in the amount EUR 250,000 applied by Polish Data Protection Authority to ID Finance Poland for loss of confidentiality of the personal data principle. In the proceedings, the President of the Personal Data Protection Office (UODO) established that the breach took place following the failure to restore the appropriate security configuration after one of the servers operated by the processor was restarted. The controller was notified about this by one of its cybersecurity specialists, who detected the vulnerability and indicated sample, publicly available information. ID Finance Poland did not immediately check the system’s identified vulnerabilities and, as a result, a few days later, the data was stolen from this server.
· Administrative fine equivalent to 20 000 euros, applied to the Polish insurance company, Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. The sanction was applied for violating the provisions of the General Data Protection Regulation.
In May 2020, the Personal Data Protection Office of Poland (UODO) received information from a third party about the personal data breach. It was an e-mail, which contained an insurance policy, sent by the company’s insurance agent to an unauthorized recipient. The attached document contained personal data as: names, surnames, addresses of residence, personal identification numbers and information concerning the subject matter of insurance (passenger car).
· Administrative fine, in the amount of 460 thousand euros applied by the Poland Personal Data Protection Office (UODO) to the Polish mobile phone company, Virgin Mobile Polska for the lack of adequate technical and organizational measures implemented to ensure the security of the processed data. UODO stated that the company infringed the principles of data confidentiality and accountability, did not carry out regular and comprehensive tests, measurements and evaluations of the effectiveness of the technical and organisational measures applied to ensure the security of the data processed. In addition, the vulnerability associated with data exchange in these systems was used by an unauthorised person to obtain data from some of the company’s clients.