A company that used software designed to account for times of alleged “inactivity” and grabbed frequent photos of its employees’ computer screens was fined 40,000 euros by the French data protection regulator CNIL. The staff members were also continuously videotaped, both visually and audibly. In particular, the company had placed software on some of its workers’ PCs to track their teleworking activities. To deter property theft, it also installed a constant video monitoring surveillance system, in both a workplace and a break area. Due to the company’s modest size and the software’s instant withdrawal during the audit, it was decided not to name it. 

Stay up to date! Sign on to receive our fortnightly digest via email.

GDPR fines clarified

The CJEU clarified the calculation of GDPR fines for undertakings. The top EU court aligned the GDPR ‘undertaking’ concept with that of the TFEU, stating that the maximum amount of the fine is to be determined based on a percentage of the undertaking’s total worldwide annual turnover in the preceding business year. The concept of ‘undertaking’ must also be taken into account to assess the actual or material economic capacity of the recipient of the fine and thus to ascertain whether the fine is at the same time effective, proportionate and dissuasive. 

AI system definition

The European Commission has published the non-binding guidelines on prohibited AI practices, as defined by the AI Act, as well as guidelines on AI system definition to facilitate the first AI Act’s rules application as of 2 February. The guidelines specifically address practices such as harmful manipulation, social scoring, emotion recognition, and real-time remote biometric identification, among others.

The guidelines on AI system definition explain the practical application of the legal concept. The definition adopts a lifecycle-based perspective encompassing two main phases: the pre-deployment or ‘building’ phase and the post-deployment or ‘use’ phase. It can comprise seven main elements, (not required to be present continuously throughout both phases): 

• a machine-based system; 
• that is designed to operate with varying levels of autonomy; 
• that may exhibit adaptiveness after deployment; 
• and that, for explicit or implicit objectives; 
• infers, from the input it receives, how to generate outputs; 
• such as predictions, content, recommendations, or decisions; 
• that can influence physical or virtual environments.

Legal updates worldwide

China data privacy updates: Cyberspace Administration released measures for the administration of compliance audits on personal data protection including cross-border data transfer regulations. It applies to all personal information processors operating within the country. Processors handling data of over 10 million individuals must conduct audits at least every two years. Processors handling data of over 1 million individuals must appoint a data protection officer. These and the number of other measures take effect on 1 May 2025. 

UK privacy law reform: The Data, (Use and Access), Bill completed its House of Lords stages and had its first and second readings in the House of Commons. Several significant amendments were made to the Bill, including the addition of clauses regarding compliance with UK copyright law by operators of web crawlers, general-purpose AI models and transparency and deepfakes, as well as an extension of the direct marketing ‘soft opt-in’ not only to commercial but to the charity sector too.

The Bill will allow automated decision-making, (with exceptions on processing with a legal or similarly significant effect), with no limitation on which lawful basis an organisation can use, subject to putting specific safeguards in place. Finally, in a debate focussed on concerns about using research provisions for AI development, Parliament chose to limit the provision by adding a public interest test rather than by imposing a blanket ban.  

Direct marketing advice generator

The UK Information Commissioner launched a free online tool to help organisations ensure their direct marketing activities comply with the Privacy and Electronic Communication Regulations (PECR), and the UK GDPR. This allows organisations to reach out and promote their products and services to both new and existing customers and can assist in making sure they’re contacting people who are happy to hear from them. The tool covers email, SMS, direct mail, social media, telemarketing, etc.

TIA

The French CNIL published the final version of its Data Transfer Impact Assessment guide, (in French). Regardless of their status and size, a very large number of data controllers and processors are concerned by the issue of data transfers outside Europe. A TIA must be carried out by the exporter subject to the GDPR, with the assistance of the importer, before transferring the data to a country outside the EEA where such transfer is based on a tool of Art. 46 of the GDPR (standard contractual clauses, binding corporate rules, etc.). There are two exceptions to this obligation for the data exporter:

• the country of destination is covered by an adequacy decision of the European Commission; 
• the transfer is made based on one of the derogations listed in Art. 49 of the GDPR.

More from supervisory authorities

Age assurance and digital services: The best interests of the child should be a primary consideration for all parties involved in processing personal data, states the EDBP. So far, the GDPR has introduced minimum age requirements in the context of information society services (Art. 8), and the Digital Services Act references age verification as a risk mitigation measure (Art. 35). Several Member States have implemented minimum age requirements for performing legal acts, exercising certain rights or accessing certain goods and services. 

The risk-based approach is also crucial when balancing the potential interference with natural persons’ rights and freedoms against children’s safety. This would therefore require that a Data Protection Impact Assessment, (Art. 35 GDPR), be conducted before processing, taking into account the nature, scope, context and purposes of the processing. Furthermore, any occurrence of automated decision-making in the context of age assurance should also comply with the GDPR.

Customer data checklist: The personal data that telecommunications providers typically process includes name, date of birth, postal address, bank details, email address and telephone numbers. This data is of interest to attackers in itself. Mobile phone numbers or email addresses are also often used as security anchors for other services. In addition, the business model of telecommunications providers involves dealing with expensive hardware. Taking into account the state of the art and the implementation costs, an appropriate level of protection must then be guaranteed in each case. To that end, the German Federal Data Protection Commission ‘BfDI’ offers a checklist for handling customer data in sales for telecommunications companies from a data protection perspective to facilitate the analysis of risks related to personal data, (in German). 

Search engine and anonymity

QWANT is a French company that launched its search engine in 2013. The data used in the context of the sale of the search engine’s advertising space, operated via Microsoft, was presented as anonymous, (the truncated IP address or the hashed IP address for the constitution of an identifier). However, in 2019, following a complaint,  the French CNIL found out that, despite the strong precautions taken to avoid the re-identification of individuals, the dataset transmitted to Microsoft was not anonymised but only pseudonymised.

In 2020, the company was alleged to have modified its privacy policies, (in various languages  due to cross-border processing), to mention:

• the transmission of “pseudonymous” data to Microsoft; and 
• to explicitly state the legal basis and advertising purposes for data transmission.

Former employee data from personal email

The Danish Data Protection Authority has decided in a case where a company had accessed and downloaded emails from a former employee’s private email account as part of a dispute between the parties, and a police report. The company informed the regulator that it was processing these data in the legitimate interest. The regulator criticised the move.  It noted that the company’s investigation was directed at the former employee’s work computer, and that access to the personal email account was discovered by accident. 

Nonetheless, the company continued to search, even after the company had become aware that it was a personal email account.

More enforcement decisions

Transaction logs failure: According to Data Guidance, the Spanish data protection authority AEPD resolved a case in which it fined GENERALI ESPAÑA, (insurance and finance services), 4 million euros for a data breach. An attacker used insurance broker credentials to get access to the personal information of policyholders, former policyholders, and other people, (about 1.5 million), as a result of a technical glitch in the customer maintenance system update. Furthermore, the lack of transaction logs made it impossible to determine the true extent of the intrusion immediately. Names and surnames, ID numbers, phone numbers, dates and birthplaces, and IBANs were among the personal information breached.

Hidden video monitoring in neonatology:  Similarly, the Polish UODO imposed approx. 275,000 euro fines on Centrum Medyczne Ujastek in Kraków, for installing image recording devices in two rooms of the neonatology department, and for failing to apply technical and organisational measures appropriate to the risk for data processed on memory cards located in the monitoring devices. Images showed newborns and their mothers performing intimate activities, including feeding and caring for children.

The children whose images were recorded no longer required intensive care, so their health was not at risk. Neither patients nor employees were informed about the recording. At the same time, the Medical Center reported to the UODO a loss or theft of memory cards from image recording devices in the above-mentioned rooms. After investigation, it was determined that the memory cards on which the recordings were located were not encrypted, and the devices used to record images were not configured properly. Finally, the risk analysis did not include the risk that was the cause of the incident and did not specify the security measures that could prevent it.

Data security

Data scraping: The Guernsey Data Protection Authority reported about a recent suspected data scraping incident in which an online business directory appeared to be scraped by a third party using an automated tool, who then attempted to sell the data. The regulator recommends key measures for any websites with business directories, user profiles, or that store personal data in any other forms:

• Rate limiting, also known as throttling, is a technique used to limit the number of actions a user can make on a website in quick succession, safeguarding against automated bots
• CAPTCHA is a widely used tool which requires users to confirm that they are human by completing a quick and simple task.

Data breach notification: The Swiss data protection authority FDPIC published guidelines on reporting data security breaches. As a rule, the report must contain a description of the circumstances of the breach and the controller’s assessment of its implications and include in particular details of the type, time, duration and extent of the breach and its already known and anticipated effects on the data subjects. The regulator also accepts voluntary reports where the controller does not assess the breach as posing a high risk to the data subjects but wishes to inform the FDPIC for other reasons. At the same time, data security breaches that lead to serious breaches of professional and manufacturing secrecy but do not affect personal data do not fall within the scope.

Big Tech

Gig economy: What would you do if your employer suddenly fired you or reduced your pay without telling you why?, asks Privacy International. Unfortunately, this is the reality for the many millions of gig workers driving or delivering for platforms like Uber, Deliveroo and Just Eat, from hiring to firing to dynamically adjusting pay to allocating jobs. To that end, PI has produced three demands for platforms to implement: 

• Maintain a public register of the algorithms used to manage workers;
• Accompany all algorithmic decisions with an explanation of the most important reasons and parameters behind;
• Allow workers, their representatives and public interest groups to test how the algorithms work.

Shift from third-party cookies to device fingerprinting? Research by DLA Piper examines Google’s plan to remove the ban on device fingerprinting—which entails gathering and combining data about a device’s hardware and software to identify the device—for businesses that use its advertising tools, with effect from February 16. This comes after Google decided to keep third-party cookies in July 2024. See the original analyses for the implications of such a move regarding consent requirements and reduced user control.

Agentic AI: Future of Privacy Forum makes a deep dive into a new technology described as “AI agents.” Unlike automated systems and even LLMs, these systems go beyond previous technology by having autonomy over how to achieve complex tasks, such as navigating on a user’s web browser to take actions on their behalf, (from making restaurant reservations and resolving customer service issues to coding complex systems). You can read the original publication for data protection considerations of such systems, such as data collection, a lawful basis for model training, data subject rights, accuracy of output, data security and ensuring adequate explainability. 

The post Data protection digest 1-15 Feb 2025: an employer can’t track alleged ‘inactivity’ of workers via screengrabs and constant video monitoring appeared first on TechGDPR.

Legal processes and redress: cross-border enforcement, Grindr fine, EU Data Governance Act, UK-US data transfers

Cross-border cases: The EDPB and the EDPS welcomed a proposal by the European Commission to complement the GDPR by specifying procedural rules in cross-border cases. The recommendations set by the regulators include harmonisation of complaints admissibility, as well as the consensus-finding process during the preliminary and final stages of an investigation, to minimise the need for agency procedures such as a dispute resolution process. Regarding the amicable settlements of complaints, regulators call on the co-legislators to enable its efficient implementation, particularly in Member States that do not have such procedural laws. 

Grindr fine confirmed: In Norway, the Privacy Appeals Board has decided on the Grindr case. The board upholds the data protection authority’s decision on an administrative fine of approx. 5,7 million euros. Grindr is a location-based dating app for the LGBTQ+ community. In 2020, the Norwegian Consumer Council complained about the app. The reason was that Grindr shared information about GPS location, IP address, mobile phone advertising ID, age and gender – in addition to an individual being a Grindr user – to several third parties for marketing purposes. The data protection authority concluded that Grindr disclosed personal data about users to third parties for behavioural advertising without a legal basis. 

The case concerns Grindr’s practices in the period from when the GDPR became applicable until 2020 when Grindr changed its consent mechanism. The data protection authority has not assessed the legality of the current practices of Grindr. The board points out, among other things, that the user was not given a free choice to consent to the disclosure of their data during registration in the app, and that the relevant information about data sharing was only included in the privacy policy. Moreover, information revealing that someone is a Grindr user may constitute a special category of personal data.

UK-US adequacy decision: Regulations leading to a UK-US Data adequacy decision were introduced to the UK parliament. The ‘Data Bridge’ will take effect on 12 October. Thus organisations in the UK will be able to transfer personal data to US businesses certified to the “UK Extension to the EU-US Data Privacy Framework” without additional safeguards, such as international data transfer agreements, (the UK version of the EU’s standard contractual clauses or binding corporate rules). Both UK and US organisations will also have to update their privacy policies. In parallel, the US Department of Justice will add the UK as a qualified jurisdiction, whose citizens can seek legal redress under the data privacy framework. 

Data Governance Act applicable since September: It sets up common European data spaces, involving both private and public players, in sectors such as health, environment, energy, agriculture, mobility, finance, manufacturing, and public administration. Both personal and non-personal data are concerned. The act also defines a set of rules for providers of data intermediation services to ensure that they will function as trustworthy organisers of data sharing or pooling. One example might be Deutsche Telekom’s data marketplace in which companies can securely manage, provide and monetise good quality information, to optimise processes or entire value chains.

Official guidance: biometrics, AI transparency, gossip at work

Biometrics and employment: The use of biometric data can be considered excessive on the part of the employer and not by the requirements of regulatory acts, states the Latvian data protection regulator. A desired goal, for example, recording working hours or entering the office – can be achieved with less interference in the employee’s privacy. The biggest “stumbling block” for employers when implementing a biometric data processing system is not security issues only, but how to process data legally. 

Biometric data is a special category of data, the processing of which is permitted for employers only in certain cases, (GDPR Art. 9 exceptions in conjunction with Art. 6 legal bases). For example, if companies plan to use their employees’ fingerprints or face scans to enter the workplace, the processing of biometric data must be based on the employees’ consent, It must be freely given, specific and informed. There should not be a situation where the employee suffers negative consequences because they did not give their consent. 

AI Transparency: The proposed EU AI Act, whose material scope is AI systems, establishes a concept of transparency that differs from the same term established in the GDPR, whose material scope is the processing of personal data. Transparency within the framework of both regulations involves different actors, and is intended for different recipients, explains the Spanish data protection authority. Transparency in terms of the proposed AI is the information on AI systems and their providers and entities that deploy these systems. When AI systems are included in or are a means of processing personal information. data controllers must also comply with the GDPR. 

Typically, personal data processing is implemented through various types of systems, such as cloud systems, communication systems, mobile systems, and encryption systems, and some of them could be AI systems. AI system designers, developers, suppliers and entities deploying it can be data controllers and/or processors in various scenarios. At the same time, the natural persons who could be affected by these systems are not always data subjects as defined in the GDPR. For example, in the case that natural persons are recipients of multimedia content created by an AI ​​system.

Gossip and personal data: There are ongoing examples of employees having unauthorised access to personal data. The Danish data protection authority states that most often it is only discovered when an individual becomes aware that someone is using information about them. It can be really difficult for the data controller to find out when employees use their system access in a way that is not related to work. Abuse of access rights cannot be completely prevented but may depend on systematic rights management, good control procedures and effective enforcement on the part of the data controller. If despite these measures employees snoop on other people’s information, they can be punished with a fine or even reported to the police. 

Enforcement decisions: electronic monitoring, recruitment, data deletion

Electronic surveillance: A privacy fine of approx. 10,000 euros was issued against the University of Iceland due to electronic monitoring. Complaints were made about surveillance cameras inside and outside the university buildings with no visible markings that would indicate that electronic surveillance was in place, (a total of 97 security cameras, 75 indoors and 22 outdoors). There was also a complaint that there had been no presentation of the purpose, nature, scope, location or other aspects of the monitoring, which had been operational for several years.. The institution hosts around 15,000 students and 4,900 employees per year, and hosts hundreds of annual events. 

Certain points were evaluated as in the university’s interest, but in light of the scope of the surveillance camera system, the number of those recorded and the duration of the violation, the decision to impose a fine was reached.  The university claimed that due to repeated break-ins, a decision had been made to increase the use of access cards and number of security cameras. Nothing else was defined about the nature, extent, or other things related to electronic monitoring by the institution. On top of the fine, the regulator also ordered the updating and installation of electronic monitoring signs in buildings and outdoor areas of the university complying with the law.

Excessive recruitment data: Meanwhile the French regulator CNIL fined SAF Logistics 200,000 euros for excessive employee data collection and lack of cooperation. SAF Logistics is an air cargo service whose parent company is located in China. As part of internal recruitment for a position within the parent company, it requested information about the family members of employees such as their identity, contact details, function, employer and marital status, along with sensitive data such as blood type, ethnicity and political affiliations. It also stored extracts from criminal records. When the CNIL requested the company translate the employee questionnaire, which was written in Chinese, the incomplete translation missed ethnicity or political affiliation fields.

Data (non)deletion: The hotel chain Arp-Hansen has been fined approx. 134,000 euros by a court in Denmark, regarding violation of the storage of personal data. The hotel chain did not comply with the erasure deadlines it had set itself, (of 1 year). The Danish data protection authority estimated at the time that approx. 500,000 customer profiles should have been deleted at the time of the inspection visit. The case highlighted which financial statements should be used as a starting point when calculating a fine. The amount was determined after the court considered the hotel chain’s revised and published annual accounts for 2018, which reflected the company’s financial situation during the period of the offence. 

Data security: US healthcare and mergers data

Healthcare data: The US FTC-HHS outlined privacy and security laws and rules that impact consumer health data. Collecting, using, or sharing consumer health information in the US focuses on four primary sources: the Health Insurance Portability and Accountability Act (HIPAA), HIPAA Privacy, Security, and Breach Notification Rules, the FTC Act, and the Health Breach Notification Rule. The publication addresses some of the basic questions. What entities are covered? What do you have to do to maintain the privacy and security of consumers’ health information? and so on. You can also check out the FTC-HHS Mobile Health App Interactive Tool as you design, market, and distribute your mobile health app. 

M&A and data protection: US researchers from the Electronic Privacy Information Center are urging the Department of Justice to include data protection and consumer privacy as factors in the newest Merger Guidelines. In a data-driven economy, businesses’ mass accumulation of personal data can have anticompetitive effects that further undermine consumer privacy and data security. Mergers frequently involve the consolidation of data sets, which can extend a firm’s market dominant position, impact entry for smaller firms, and exacerbate the effects of harmful consumer data practices. As a result of such mergers, there is no meaningful opportunity for firms to compete with better privacy practices.

Big Data: Meta behavioural ads, TikTok minor’s privacy enforcement

Norway case goes to the European level: The Norwegian data protection authority has requested a binding decision from the EDPB in the Meta case. It asked that Norway’s temporary ban on behavioural advertising on Facebook and Instagram be made permanent and extended to the entire EU/EEA. The Norwegian regulator is only authorised to make a temporary decision in this case. The decision expires on 3 November. Earlier this year, the authority found that Meta processes personal data for illegal behavioural advertising and intrusive monitoring of users in the context of the Facebook and Instagram services. For this reason, it imposed a temporary sanction on the company. The regulator also won against Meta in court. Nonetheless, the company continues its activities and has not yet complied with the decision. Meta has submitted several administrative complaints against the Norwegian data protection authority’s decision so far. 

TikTok minors data: The Irish data protection commission adopted its final decision regarding TikTok’s processing of minors’ data and age verification during the registration procedure imposing fines totalling 345 million euros, with an order to bring the processing into compliance. The investigation found: 

• children’s account settings were made public, 
• certain features were enabled, exposing users under the age of 13,
• privacy gaps in the “family pairing” function, 
• misleading “dark patterns” during account creation and video uploading, and
• failure to convey appropriate information to minors.

Interestingly, objections to the draft decision by the Irish regulator were raised by other concerned supervisory authorities, working as part of a cross-border investigation uncovering additional infringements including privacy-intrusive dark patterns. The case ended up at the EDPB for dispute resolution, which obliged the DPC to amend its draft decision to include new findings. 

The post Data protection digest 15 Sep – 1 Oct 2023: cross-border cases get the highest level of attention from regulators appeared first on TechGDPR.

Legal processes: draft EU Data Act, AI liability rules

The Commission proposed new rules on who can use and access data generated in the EU across all economic sectors. The EU Data Act will “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all”. In particular the Act will:

• allow users of connected devices to gain access to data generated by them, which is often exclusively harvested by manufacturers;
• consumers and businesses will be able to access the data of their device and use it for aftermarket and value-added services, (eg, farmers, airlines, construction companies will make better decisions buying higher quality products and services);
• measures to rebalance negotiation power for SMEs by preventing abuse of contractual imbalances in data sharing contracts;
• statutes for public sector bodies to access and use data held by the private sector necessary in the exceptional circumstance of a public emergency;
• new rules allowing customers to effectively switch between different cloud data-processing services providers and putting in place safeguards against unlawful data transfer.

In addition, the Data Act reviews certain aspects of the Database Directive which protects investments in the structured presentation of data. Notably, it clarifies that databases containing data from IoT devices and objects should not be subject to separate legal protection. This will ensure they can be accessed and used. The volume of industrial data is constantly growing and the Commission reports 80% of it is never used.

The EDPB sent a letter to the Commission on adapting liability rules to the digital age and Artificial Intelligence initiative. It considers that the revision of the legal framework should ensure consistency with and complement the EU acquis in the field of personal data protection, in particular when it comes to the security of personal data processing and the use of AI systems. While, under the GDPR, only controllers and processors would be liable, (eg, in a personal data breach case, it is essential to consider the role and potential liability of providers of AI systems developed and made available in order to secure personal data processing). However because of the nature of AI, assigning the responsibility to a party in a claim that involves an AI system might be particularly difficult, especially when the burden of proof lies with the individual since the latter could be unaware of the fact that AI is used and, in the majority of cases, would lack the necessary information to prove the liability of the AI system. For that purpose, the EDPB wishes to stress the positive effects of:

• including systematic human supervision;
• transparency for the end-user on the use and operation of the AI system and on the deployed methods and algorithms;
• limitations and liability risks on the use of AI systems due to different types of attacks;
• providers of AI systems should be responsible for providing users with mitigation tools for known and new types of attacks and for embedding security by design throughout the entire lifecycle of the AI;
• users of AI systems should be responsible for ensuring the safe operation of the system, etc.

Additionally, specific liabilities might be triggered by the ineffective application of data protection principles by AI providers and users. Lack of data accuracy or scarce attention paid to the fairness of algorithmic decisions might translate into impairments to individuals’ rights and freedoms as well as economic losses. 

Official guidance: video surveillance

The UK Information Commissioner’s Office has published a guide on the use of video surveillance. As video surveillance technology becomes more mainstream and affordable, it is now more common to see technologies such as smart doorbells and wireless cameras. Traditional CCTV also continues to evolve into more complex AI-based surveillance systems. These can process more sensitive categories of personal data. The ways in which the technology is used also continue to develop. Some of the provisions include:

• data protection by design default approach;
• performing LIA demonstrates the lawfulness of the processing, that can naturally feed into a DPIA, for any processing that is likely to result in a high risk to individuals;
• maintaining a record of the processing activities taking place; 
• determining a necessary data retention periods;
• notifying and paying a data protection fee to the ICO, unless exempt, etc.

The guidance covers UK GDPR and Data Protection Act 2018 requirements. It applies where personal data is being processed by video surveillance systems in the public and private sectors. It also outlines considerations for the use of Automatic Number Plate Recognition, Body Worn Video, Unmanned Aerial Vehicles, (also known as drones), Facial Recognition Technology and surveillance, commercial products such as smart doorbells and surveillance in vehicles, workplace monitoring, live streaming, and other commercially available surveillance systems that have the potential to process personal data.

Investigations and enforcement actions: proof of identity, satisfaction survey, cooperation with the regulator, data breach notification

The Netherlands’ data protection authority fined Belgium-based DPG Media 525,000 euros for GDPR violations. The regulator found that individuals who wanted to view the data the company held or have it removed first had to provide proof of identity. The regulator received several complaints about the way Sanoma Media Netherlands BV, (before it was acquired by DPG Media in 2020), dealt with these types of requests. In particular: 

• Subscribers received unwanted advertising from the company.
• Anyone who wanted to unsubscribe, know what personal data was kept, or wanted to have data deleted, first had to upload proof of identity. 
• When the proof of identity was sent digitally, these people were not informed by the company that they were allowed to protect their data.
• For customers who had not created an online account with DPG Media it was more difficult to access or change their data. 

DPG Media has changed its working methods, and now sends a verification email to establish the identity of a requester. DPG Media has objected to the decision.

The EDPB analyzed the recent enforcement case where the Hungarian supervisory authority fined a car importer for unlawful data processing practices related to satisfaction measurement. After the applicant had their car inspected/serviced by the respondent as a specialist car garage, the applicant provided the respondent with its email address at the request. The applicant subsequently received an unsolicited email asking him to complete a satisfaction questionnaire in relation to the above service provided and then another email asking him to complete the questionnaire again due to his lack of response. The applicant’s consent for the transfer was not requested. Throughout the investigation, the importer company could not demonstrate how the following processed data are related to the stated purposes of satisfaction measurement and complaint management: the customer’s name, email address, home address, telephone number, age, gender, chassis number, registration number, technical data of the vehicle, the name of the dealer partner used, the date of the service used and the content of the feedback.

The EDPB also looked at another fine, by the Polish regulator, for lack of cooperation. The regulator requested a company respond to the content of a complaint and to answer detailed questions regarding the case. The regulator sent four requests to the company, (the data controller), and it accepted only one of them and did not reply. Disregarding the obligations related to cooperation with the regulator constitutes a breach of great gravity and as such is subject to financial sanctions. Therefore, in this case, the supervisory authority imposed an administrative fine of approx. 4,000 euros, which will not only be effective, proportionate, and dissuasive in this individual case but will also be a signal for other entities. 

The Spanish regulator AEPD fined Worldwide Classic Cars Network 1,500 euros and imposed corrective measures for having video surveillance without just cause and lack of information posters, Data Guidance reports. The complaint was filed by an individual for the installation of two video surveillance cameras which captured images of the public. Moreover, the video surveillance cameras did not display signs in accordance with the GDPR. The AEPD ordered Worldwide Classic Cars, within 10 business days, to provide proof of the following measures: a) removing the cameras from the current location, or redirecting them to its particular area; b) placing the information sign in the video-monitored areas; and c) making the stored information referred to in the GDPR available to those affected.

The Italian regulator ‘Garante’ ordered Minelli S.p.A to notify a data breach to data subjects, Data Guidance reports. The company became aware of a data breach following a report by an employee. The data breach consisted of the temporary loss of availability of data, (bank details, health data, authentication credentials), contained in a number of servers and PCs owned by the company, and the probable loss of confidentiality of the same data as a result of a ransomware attack. The breach involved around 800 data subjects, including employees, consultants, customers, and suppliers. However, Minelli had only notified the data breach to the employee who had initially detected the incident, and failed to notify all the data subjects involved. 

DPIA: Microsoft Teams

The Dutch government released a public version of the DPIA on Microsoft Teams. The document assesses the data protection risks of the professional use of the tool in combination with OneDrive, SharePoint Online, and the Azure Active Directory. These applications are commonly used to access and store files shared via Teams. As a precondition to using Microsoft’s online services, end-users, and admins, including guest users, must be authenticated through the online cloud service Azure Active Directory. The DPIA conclusion says Microsoft has implemented many legal, technical, and organizational measures to mitigate the risks for data subjects. In reply to the initial findings of this DPIA, Microsoft has also committed to improving some shortcomings and has provided important assurances.

However, in view of the ‘Schrems II’ ruling and the technical findings described in this report, Microsoft has to make more adjustments for one high and a couple of low-level identified risks. It is uncertain how the transfer risks will be assessed by the national data protection authorities this year, (in their joint investigation into the use of cloud services by public sector organizations). For this DPIA the transfer risks have been rigorously assessed, including a separate DTIA. Download the full DPIA document here.

Big Tech: TikTok’s child privacy, Meta-EU data transfer row, AI-based privacy compliance tool

The Texas Attorney General has launched an investigation into TikTok, demanding a wealth of documentary proof that the company has not been violating child privacy and enabling unlawful conduct and human trafficking. Two Civil Investigative Demands, (CID), request TikTok explain privacy policy, procedure and review practices, and how it identifies and removes content for child safety. TikTok must also provide copies of policies, guidance, manuals, training materials and the like related to children’s use of TikTok. The company has until March 18 to reply to the CIDs.

Ireland’s data protection regulator reportedly is inching towards banning Meta’s Facebook and Instagram from transferring data to the US after Data Protection Commissioner Helen Dixon issued a draft ruling for which Meta has 28 days to make legal submissions. They will likely focus on their claim the transfer ban, a result of the Schrems privacy campaign and the 2020 ECJ decision to scrap the existing transatlantic data transfer agreement, damages its and thousands of other companies’ business. The decision could be shared with fellow EU regulators in April and if none of them lodge an objection, “the earliest time we could have a final decision could be the end of May,” Helen Dixon told Reuters. Any objection could add some months to the timeline.

Mobile app developers have a new AI-based tool to help to identify possible privacy and compliance issues within apps. Called Checks, it’s out of Google’s Area 120 incubator and is freemium to all Android and iOS developers. Via Google Play developers will be able to get their apps scanned for any potential privacy and compliance problems, and a report offering applicable solutions and resources.

The post Weekly digest February 21 – 27, 2022: the EU Data Act to facilitate use of digital economic data appeared first on TechGDPR.