July 19, 2021
06/28/2021 – European Commission | Adequacy decision | Transfers to the UK
The Commission adopted two adequacy decisions allowing personal data to flow freely from European Union to the United Kingdom.
The adequacy findings include a ‘sunset clause’ which entails that the decisions will automatically expire four years after their entry into force. They might be renewed only if the UK continues to ensure an adequate level of data protection.
For further information: Commission Website
06/23/2021 – European Commission | Proposal | Creation of a Cybersecurity Unit
The European Commission proposed the creation a Joint Cyber Unit to tackle the rising number of serious cyber incidents impacting public services, as well as the life of businesses and citizens across the EU.
For further information: Commission Website
06/22/2021 – European Commission | Investigation | Antitrust Investigation
The European Commission opened a formal antitrust investigation to assess whether Google has violated EU competition rules by favoring its own online display advertising technology services in the so called “ad tech” supply chain.
For further information: Commission Website
06/22/2021 – Court of Justice | Judgment | Latvian Law on Road Safety
The Court of Justice of the EU held that the GDPR precludes Latvian legislation which obliges to make the data relating to traffic offences accessible to the public.
The Court notes that it has not been established that such system is necessary with regard to the objective of improving road safety.
For further information: CJEU Press Release | CJEU Judgment
06/21/2021 – European Parliament | Research Paper | Online Advertising
The European Parliament Think Tank published a paper studying the impact of targeted advertising on advertisers, market access and consumer choice.
The paper identifies, inter alia, potential areas where Digital Services Act and Digital Markets Act proposals could be improved, or new initiatives taken.
For further information: Research Paper
06/21/2021 – European Parliament | Research Paper | Artificial Intelligence Diplomacy
The European Parliament Think Tank published a study relating to Artificial Intelligence governance as a new EU external policy tool.
For further information: Research Paper
06/18/2021 – European Data Protection Board | Recommendations | Measures that Supplement Transfer Tools
The European Data Protection Board issued the final version of its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of personal data protection, adopted after public consultation.
The final version of the recommendations places an emphasis on the practices of “a third country’s public authorities” and advises entities to check “local laws and practices affecting compliance” with the European Commission’s new standard contractual clauses.
For further information: EDPB Recommendations
06/18/2021 – European Data Protection Board and European Data Protection Supervisor | Joint Opinion | Artificial Intelligence Act
The European Data Protection Board and the European Data Protection Supervisor adopted a Joint Opinion 5/2021 on the proposal for an Artificial Intelligence Act.
In particular, the Opinion stresses out the need to explicitly clarify that existing EU data protection legislation applies to any processing of personal data falling under the scope of the draft AI Regulation.
For further information: EDPB Website
06/17/2021 – Court of Justice | Judgment | Intellectual Property Rights and Data Protection
The Court of Justice of the EU ruled that the systematic registration of IP addresses of users and the communication of their names and postal addresses to the holder of intellectual property rights or to a third party in order to enable an action for damages to be brought is permissible under certain conditions.
For further information: CJEU Press Release | CJEU Judgment
06/15/2021 – Court of Justice | Judgment | Supervisory Authorities Competence
The Court of Justice of the EU specified the conditions for the exercise of the national supervisory authorities’ powers with respect to the cross-border processing of data.
The Court rules that, under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a Member State, even though that authority is not the lead supervisory authority with regard to that processing.
For further information: CJEU Press Release | CJEU Judgment
06/10/2021 – European Data Protection Supervisor | Digest | Data Transfers
The European Data Protection Supervisor issued a case-law digest on transfers of personal data to third countries.
For further information: EDPS Website
06/03/2021 – European Commission | Proposal | European Digital Identity
The European Commission proposed a framework for a European Digital Identity which will offer citizens and businesses digital wallets enabling to access services online without having to use private identification methods or unnecessarily sharing personal data.
For further information: Commission Website
06/02/2021 – European Data Protection Board | Annual Report
The European Data Protection Board published its Annual Report for the year 2020, which provides a detailed overview of the work it carried out during the year.
For further information: EDPB Website
06/01/2021 – Danish Supervisory Authority | Public Consultation | Marketing
The Danish Supervisory Authority opened a public consultation in light of its forthcoming guidance on marketing.
Comments can be sent until 15 August 2021.
For further information: Datatilsynet Website
06/30/2021 – French Supervisory Authority | Software | Privacy Impact Assessment
The French Supervisory Authority published a new version of the Privacy Impact Assessment software, which allows for enhanced customization.
For further information: CNIL Website
06/29/2021 – French Supervisory Authority | Statement | Cookies
The French Supervisory Authority issued a statement urging organizations to allow Internet users to refuse cookies as easily as to accept them.
The Authority states that it will continue to issue formal notices and to launch sanctioning procedures over the coming months.
For further information: CNIL Website
06/25/2021 – French Supervisory Authority | Recommendation | Exercise of Rights
The French Supervisory Authority published a Recommendation concerning the exercise of rights through a person or organization mandated for this purpose.
For further information: CNIL Website
06/23/2021 – French Supervisory Authority | Guidance | Data Transfers
The French Supervisory Authority issued a series of articles on data transfers.
The Authority published two Q&As on the content and the consequences of the Schrems II ruling, as well as a methodology to help controllers identify and process data transfers outside of the EU.
For further information: CNIL Website | CNIL Website | CNIL Website
06/15/2021 – French Criminal Court | Ruling | Employee Monitoring
A French criminal court sentenced a furniture company €1 million for keeping data collected illegally through employee surveillance, in particular criminal records.
Eight fomer executives, including the former CEO, are sentenced to prison terms ranging from three months to two years.
For further information: Legal News Report
06/15/2021 – French Supervisory Authority | Guidance | Standard Contractual Clauses
The French Supervisory Authority issued guidance on the new EU Standard Contractual Clauses in order to help controllers and processors with their implementation.
For further information: CNIL Website
06/14/2021 – French Supervisory Authority | Sanction | Marketing
The French Supervisory Authority (CNIL) fined a company of €500,000 for several infringements relating to its marketing practices.
In particular, the company failed to comply with the GDPR’s data retention periods, data subjects rights and security obligations, as well as with the ePrivacy requirements to collect consent for direct marketing messages and advertising cookies.
The CNIL notes that it acted as the lead supervisory authority for the breaches of the GDPR, and independently for the infringements related to the ePrivacy Directive.
For further information: CNIL Website
06/11/2021 – French Supervisory Authority | Code of Conduct | Cloud Infrastructure Service Providers
The French Supervisory Authority approved the first European Code of Conduct, which is dedicated to Cloud Infrastructure Service Providers (IaaS).
For further information: CNIL Website.
06/09/2021 – French Supervisory Authority | Recommendations | Data Protection of Minors
The French Supervisory Authority issued a series of eight recommendations to enhance the protection of minors’ online, after public consultation.
For further information: CNIL Website
06/07/2021 – French Supervisory Authority | Opinion | Covid-19 Pass
The French Supervisory Authority issued an opinion relating to the implementation of the Covid-19 pass, which is required to travel out of France or to access to certain public places.
For further information: CNIL Website
06/07/2021 – French Competition Authority | Sanction | Online Advertising
The French Competition Authority fined Google €220 millions for favoring its own services in the online advertising sector.
Google has committed to change the functioning of its advertising service and bidding platform.
For further information: Competition Authority Website
06/22/2021 – Hessian Supervisory Authority | Guidance | Data Transfers
The Hessian Supervisory Authority announced that it is taking concrete steps to implement the consequences of the “Schrems II” ruling on data transfers.
The Authority emphasizes that transfers to third countries, such as the United States, are not permitted without supplementary measures. As a first step, the Authority will issue respective reminders to companies in Hessia, but companies may face increased scrutiny if supplementary measures are not adopted.
For further information: Press Release
06/21/2021 – German Data Protection Conference | Statement | Data Transfers
The German Data Protection Conference published a statement addressing the necessity to implement supplementary tests and measures despite the new EU standard contractual clauses.
For further information: Press Release
06/21/2021 – German Federal Commissioner for Data Protection and Freedom of Information | Statement | European Artificial Intelligence Act
The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) published a statement on the European Artificial Intelligence Regulation proposal.
The BfDI outlines the importance of ensuring that AI systems do not violate fundamental rights and advocates for a ban on AI which is contrary to basic liberal democratic principles.
For further information: BfDi Website
06/03/2021 – Hellenic Supervisory Authority | Sanction | Employee Monitoring
The Hellenic Supervisory Authority fined a company €15,000 for implementing an illegal CCTV system which was located in the staff kitchen without informing the employees.
For further information: HDPA Decision
06/29/2021 – Icelandic Supervisory Authority | Sanction | Employee Monitoring
The Icelandic Supervisory Authority fined a company ISK 5,000,000 (approx. €34,000) for monitoring employees in an area used to change clothes without informing them.
For further information: Persónu Vernd Website
06/23/2021 – Irish Supervisory Authority | FAQ | Data Protection Officer Register
The Irish Supervisory Authority published an FAQ relating to its registration of Data Protection Officers details.
For further information: DPC Guidance
06/22/2021 – Irish Supervisory Authority | Guidance | Covid-19
The Irish Supervisory Authority published a guidance on the processing of Covid-19 vaccination data in the context of employment.
For further information: DPC Website
06/22/2021 – Italian Supervisory Authority | Sanctions | Direct marketing | Social media post | Employee Monitoring
The Italian Supervisory Authority (Garante) published three sanction decisions dated 13 May 2021.
First, the Authority fined an energy provider €3 million for sending direct marketing communications without valid consent.
The data subjects had given their consent to another controller, which then sold their personal data to the energy provider. The Garante reminds that the effectiveness of consent cannot be extended to subsequent transfers to other controllers.
Second, the mayor of Messina was fined €50,000 for posting the photographies and personal details of disabled minors, disadvantaged people and alleged offenders on social media.
The Garante finds that their identification was not justified by reasons of public interest and violated the right to non-discrimination as well as the dignity of the data subjects.
Finally, the Authority fined the Bolzano municipality €84,000 for the constant and generalized monitoring of its employees’ Internet browser.
For further information: Garante Website
06/07/2021 – Luxembourgish Supervisory Authority | Decisions
The Luxembourgish Supervisory Authority published 18 decisions, including fines, dated from March to April 2021 and concerning various infringements.
Breaches relate, inter alia, to the data protection officers’ functions, the data minimization principle and the data subjects right to information.
For further information: CNPD Website
06/28/2021 – Dutch Supervisory Authority | Sanction | Unsecured Patient Website
The Dutch Data Protection Authority fined an orthodontic practice €12,000 for allowing new patients to register on an unsecured website.
For further information: AP Website
06/22/2021 – Norwegian Supervisory Authority | Sanction | Access to Former Employee Emails
The Norwegian Supervisory Authority fined a company NOK 150,000 (approx. € 14,700) for unlawfully accessing the mailbox of a former employee.
For further information: Datatilsynet Website
06/03/2021 – Norwegian Supervisory Authority | Injunction | Consent
The Norwegian Supervisory Authority published a decision dated 12 May 2021 and ordering a provider of online courses to modify the way it collects consent.
According to the company’s privacy policy, data subjects who used the services of the company automatically consented to marketing communications and targeted advertising on social media.
For further information: Datatilsynet Website
06/08/2021 – Polish Supervisory Authority | Sanction | Data Breach Notification
The Polish Supervisory Authority fined a telecommunications operator PLN 100,000 (approx. €22,000) for failing to notify a data breach within 24 hours to the Authority.
For further information: UODO Website
06/29/2021 – Spanish Supervisory Authority | Guidance | Risk Management and Impact Assessment
The Spanish Supervisory Authority (AEPD) released a guide on risk management and impact assessment for personal data processing.
The guide includes criteria and interpretations from the AEPD, the European Data Protection Board and the European Data Protection Supervisor.
For further information: AEPD Website
06/17/2021 – Spanish Supervisory Authority | Sanction | Direct Marketing
The Spanish Supervisory Authority fined an energy provider €12,000 for making marketing calls to data subjects registered in the Robinson Do Not Call list.
For further information: AEPD Decision
06/17/2021 – Spanish Supervisory Authority | Sanction | Data Accuracy
The Spanish Supervisory Authority fined a company €10,000 for sending an invoice with the claimant’s personal data to the wrong recipient.
For further information: AEPD Decision
06/03/2021 – Spanish Supervisory Authority | Sanction | Employee Monitoring
The Spanish Supervisory Authority fined a company €19,600 for implementing an unlawful CCTV device within its premises.
For further information: AEPD Decision
06/23/2021 – UK Supervisory Authority | Sanction | Nuisance Marketing Calls
The UK Supervisory Authority fined a company £130,000 (approx. €150,000) for making more than 900,000 nuisance marketing calls to numbers registered on Do Not Call lists.
For further information: ICO Website
06/18/2021 – UK Supervisory Authority | Opinion | Live Facial Recognition
The UK Supervisory Authority (ICO) published an opinion on the use of live facial recognition technology in public places.
For further information: ICO Website
06/08/2021 – UK Supervisory Authority | Sanction | Nuisance Marketing
The UK Supervisory Authority issued fines of £170,000 (approx. €200,000), £100,000 (approx. €117,000) and £145,000 (approx. €170,000) against three companies for sending direct marketing messages and making marketing calls without valid consent.
For further information: ICO Website
06/03/2021 – UK Supervisory Authority | Sanction | Marketing Emails
The UK Supervisory Authority fined a political party £10,000 (approx. €8,500) for sending 51 marketing emails without valid consent.
For further information: ICO Website
This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.