May 12, 2021
04/23/2021 – European Data Protection Supervisor | Statement | Artificial Intelligence Act Proposal
The European Data Protection Supervisor published a statement where it welcomes the legislative proposal for an Artificial Intelligence Act but regrets to see that its earlier calls for a moratorium on the use of remote biometric identification systems in publicly accessible spaces have not been addressed by the Commission.
For further information: Press Release
04/21/2021 – European Commission | Proposals | Artificial intelligence
The European Commission published two proposals aiming to turn Europe into the global hub for trustworthy Artificial Intelligence: the Artificial Intelligence Act and the new rules on machinery products.
For further information: Press Release; Proposal for an Artificial Intelligence Act; Proposal for a Regulation on Machinery Products
04/20/2021 – European Parliament | Statement | EU-US data transfers
The Committee on Civil Liberties, Justice and Home Affairs of the European Parliament (LIBE) called for clear guidelines on data transfers with the United States.
In particular, the LIBE Committee urges the European Commission to issue detailed guidelines on making data transfers compliant with the “Schrems II” case and it calls on the Commission to launch infringement procedures against Ireland for failing to enforce effectively the GDPR.
For further information: Press Release
04/19/2021 – European Data Protection Supervisor | Annual Report
The European Data Protection Supervisor issued its Annual Report for the year 2020, presenting how it continued to fulfil its role despite the context of the pandemic.
For further information: Press Release; EDPS 2020 Annual Report
04/13/2021 – European Data Protection Board | Guidelines | Dispute resolution
The European Data Protection Board (EDPB) adopted Guidelines on the application of Article 65(1)(a) of the GDPR relating to the resolution by the EDPB of disputes between supervisory authorities.
The Guidelines are opened for public consultation until 28 May 2021.
For further information: EDPB Guidelines 03/2021
04/13/2021 – European Data Protection Board | Guidelines | Social media
Following public consultation, the European Data Protection Board adopted the final version of the Guidelines 8/2020 on the targeting of social media users.
For further information: EDPB Guidelines 08/2020
04/13/2021 – European Data Protection Board | Opinions | UK adequacy decisions
The European Data Protection Board adopted two opinions on the European Commission draft Implementing Decisions related to the adequate protection of personal data in the United Kingdom.
For further information: EDPB Website; EDPB Opinion 14/2021; EDPB Opinion 15/2021
04/06/2021 – European Data Protection Board | Guidance | Certification criteria
The European Data Protection Board adopted an Addendum to its Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR.
The Guidance is opened for public consultation until 26 May 2021.
For further information: EDPB Guidance
04/06/2021 – European Data Protection Board & European Data Protection Supervisor | Joint Opinion | Digital Green Certificate proposals
The European Data Protection Board and the European Data Protection Supervisor published a joint opinion on the Digital Green Certificate Proposals, adopted on 31 March 2021.
The Digital Green Certificate aims to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic by establishing a common framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, testing and recovery certificates.
For further information: Press Release; EDPB-EDPS Joint Opinion 04/2021
04/26/2021 – Belgian Supervisory Authority | Sanction | Unlawful access to information
The Belgian Supervisory Authority issued a fine of €100,000 against a company for not taking sufficient security measures to prevent unauthorized access to information by its employees.
For further information: APD decision (in French)
04/07/2021 – Danish Supervisory Authority | Decision | Encryption
The Danish Supervisory Authority issued a decision criticizing the use by the police of an online solution related to weapons permits which did not ensure a sufficient degree of encryption, resulting in a breach of Article 32 of the GDPR.
For further information: Press Release (in Danish); Datatilsynet decision (in Danish)
04/06/2021 – Danish Supervisory Authority | Annual Report
The Danish Supervisory Authority published its Annual Report for the year 2020.
For further information: Press Release (in Danish); Datatilsynet Annual Report (in Danish)
04/23/2021 – French Supervisory Authority | Article | Ransomwares
The French Supervisory Authority published an article where it outlines that ransomware attacks have increased these last months and indicates how to react if it occurs.
For further information: CNIL website (in French)
04/22/2021 – French Supervisory Authority | Statement | Covid-19 tracing app
Following the implementation of a new feature into the TousAntiCovid tracing app, enabling to electronically store test results and vaccination certificates, the French Supervisory Authority published a statement where it specifies the guarantees that should provide such new feature.
For further information: CNIL website (in French)
04/15/2021 – French Supervisory Authority | Compliance | SME companies
The French Supervisory Authority published a checklist and a Q&A page to help small and medium-sized companies with GDPR compliance.
For further information: CNIL’s checklist (in French); CNIL’s Q&A page (in French)
04/09/2021 – French Supervisory Authority | Guidance | Cyberattacks
The French Supervisory Authority published a guidance relating to frauds targeting organizations by email and requesting international money transfers (also called CEO fraud) and gives recommendations to organizations to prevent such attack.
For further information: CNIL website (in French)
04/02/2021 – French Supervisory Authority | Statement | Cookies
The French Supervisory Authority published a statement reminding that the deadline to comply with the rules on cookies and other trackers ended on 31 March 2021.
For further information: CNIL website (in French)
04/30/2021 – Federal Data Protection Commissioner | Covid-19 tracking app
The Federal Data Protection Commissioner published a statement on the use of Germany’s Covid-19 tracing app.
For further information: Press Release (in German)
04/29/2021 – Rhineland-Palatinate Commissioner for Data Protection | Statement | Artificial Intelligence Act
Rhineland-Palatinate Commissioner for Data Protection and the Freedom of Information published a statement requesting a more thorough privacy assessment of the European Commission’s proposed AI Act – including with respect to facial and voice recognition, sensitive personal data and mass surveillance.
For further information: Press Release (in German)
4/27/2021 – Federal Labor Court on the Scope of Art. 15 GDPR
The Federal Labor Court rejected a claim for access to information and emails based on Article 15 GDPR.
The court ruling, however, did not address substantive questions regarding the scope of Article 15(3) GDPR as it found that procedural requirements under German law regarding the accurate determination of the requested personal data were not met in the particular case.
For further information: Press Release (in German)
4/27/2021 – German Data Protection Officer questions referred to the CJEU
The German Federal Labor Court referred a number of GDPR-related questions to the CJEU.
The questions referred to the CJEU relate to data protection officers, including the question of the possibility for a data protection officer to be at the same time a works council representative.
For further information: Press Release (in German)
04/15/2021 – German Federal Supervisory Authority | Statement | Draft law on telecommunications
The German Federal Supervisory Authority issued a statement on the draft law regulating data protection and the protection of privacy in telecommunications and telemedia (TTDSG).
For further information: BfDI website (in German)
04/08/2021 – Berlin Supervisory Authority | Annual Report
The Berlin Supervisory Authority released its Annual Report for the year 2020.
For further information: Press Release (in German); Annual Report (in German)
04/23/2021 – Irish Supervisory Authority | Regulatory strategy
The Irish Supervisory Authority (DPC) published its draft Regulatory Strategy for 2021-2026, which sets out its vision for what it believes will be five crucial years in the evolution of data protection law.
The draft of the DPC is opened for public consultation until 30 June 2021.
For further information: DPC website; DPC draft Regulatory Strategy
04/27/2021 – Italian Supervisory Authority | Sanction | Direct marketing
The Italian Supervisory Authority published three decisions dated 11 March 2021, regarding three call centers, respectively fined €80,000, €15,000 and €5,000 for conducting direct marketing calls without individuals’ prior consent or despite their subscription to the public opposition register.
For further information: Garante website (in Italian); 1st Garante decision (in Italian); 2nd Garante decision (in Italian); 3rd Garante decision (in Italian)
04/27/2021 – Italian Supervisory Authority | Sanction | Right to erasure and freedom of information
The Italian Supervisory Authority (Garante) published a decision dated 25 March 2021 issuing a fine of €20,000 against a newspaper for not responding to a data subject who exercised his right to erasure in relation to an article containing information about him.
However, the Garante refused to order the newspaper to delete the article in accordance with the freedom of information as it deems the request unfounded considering the social utility and the historical value of the article as well as the fact that it had already been de-indexed by the newspaper.
For further information: Garante website (in Italian); Garante decision (in Italian)
04/27/2021 – Italian Supervisory Authority | Sanction | Direct marketing
The Italian Supervisory Authority published a decision dated 25 March 2021 issuing a fine of €30,000 against a company that sent marketing emails to individuals without collecting prior consent nor including an efficient “unsubscribe” link in the email sent.
For further information: Garante website (in Italian); Garante decision (in Italian)
04/23/2021 – Italian Supervisory Authority | Formal warning | Digital Green Certificates
The Italian Supervisory Authority published a formal warning to the Italian government in relation to the decree for the creation of the Digital Green Certificates framework, recently adopted.
For further information: Garante website
04/16/2021 – Italian Supervisory Authority | Opinion | Facial recognition
The Italian Supervisory Authority published an opinion dated 25 March 2021 where it concluded that the project of the Italian Ministry of the Interior to implement a real time CCTV using facial recognition is non-compliant.
For further information: Garante website (in Italian); Garante Opinion (in Italian)
04/02/2021 – Italian Supervisory Authority | Sanction | Aggressive marketing
The Italian Supervisory Authority published a decision dated 25 March 2021 issuing a fine of €4,5 million against a company for conducting unsolicited marketing calls to millions of individuals whose personal data were provided by third parties that did not obtain prior valid consent from those individuals.
For further information: Garante website (in Italian); Garante decision (in Italian)
04/29/2021 – Dutch Supervisory Authority | Sanction | Wi-Fi tracking
The Dutch Supervisory Authority published a decision dated 11 March 2021 where it issued a fine of €600,000 against a municipality for implementing, through two providers, a Wi-Fi tracking mechanism to measure public frequencies in the city center, without any legal basis.
For further information: AP website; AP decision (in Dutch)
04/22/2021 – Norwegian Supervisory Authority | Annual Report
The Norwegian Supervisory Authority published its Annual Report for the year 2020.
For further information: Datatilsynet 2020 Annual Report (in Norwegian)
04/21/2021 – Norwegian Supervisory Authority | Sanction | CCTV
The Norwegian Supervisory Authority issued a fine of NOK 200,000 (approx. €20,000) against a restaurant for implementing a 24-hour CCTV, with no valid legal basis.
For further information: Datatilsynet website (in Norwegian)
04/09/2021 – Norwegian Supervisory Authority | Sanction | Data breach
The Norwegian Supervisory Authority published a decision issued on 15 March 2021, which imposed a fine of NOK 1 million (approx. €99,700) against a municipality for having published personal data on its website.
For further information: Datatilsynet website (in Norwegian); Datatilsynet decision (in Norwegian)
04/27/2021 – Portuguese Supervisory Authority | Decision | Data transfers
The Portuguese Supervisory Authority ordered the Portuguese national institute of statistics to suspend, within 12 hours, any transfer of personal data to the United States or other third country not considered as ensuring an adequate level of protection.
For further information: CNPD website (in Portuguese)
04/26/2021 – Spanish Supervisory Authority | Sanction | Data accuracy
The Spanish Supervisory Authority issued a fine of €1 million against a credit reporting agency for failing to comply with the GDPR principles (purpose limitation, lawfulness, accuracy and data minimization) and its obligation to inform the individuals.
For further information: AEPD resolution (in Spanish)
04/13/2021 – Spanish Supervisory Authority | Sanction | Unlawful processing
The Spanish Supervisory Authority issued a fine of €150,000 against a telecommunications operator for sending invoices to the claimant despite the end of their contractual relationship.
The amount of the fine was reduced to €90,000 due to the operator’s acknowledgment of its responsibility and the voluntary payment of the fine.
For further information: AEPD resolution (in Spanish)
04/09/2021 – Spanish Supervisory Authority | Sanction | Direct marketing
The Spanish Supervisory Authority issued a fine of €150,000 against a telecommunications operator for sending mass direct marketing messages without the consent of individuals.
The amount of the fine was reduced to €90,000 due to the operator’s acknowledgment of its responsibility and the voluntary payment of the fine.
For further information: AEPD resolution (in Spanish)
04/07/2021 – Spanish Supervisory Authority | Sanction | Right to erasure
The Spanish Supervisory Authority issued a fined of €100,000 against a bank for failing to grant the right to erasure as requested.
The amount of the fine was finally reduced to €60,000.
For further information: AEPD resolution (in Spanish)
04/06/2021 – Spanish Supervisory Authority | Annual Report
The Spanish Supervisory Authority released its Annual Report for the year 2020.
For further information: Press Release (in Spanish); AEPD Annual Report (in Spanish)
04/20/2021 – UK Supervisory Authority | Article | Innovation and economic growth
The UK Supervisory Authority published an article relating to how its Innovation Hub is enabling innovation and economic growth through cross-regulatory collaboration.
For further information: ICO website
This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.