April 9, 2021
03/30/2021 – European Commission | Republic of Korea’s adequacy
The European Commission announced that it will proceed with launching a decision-making procedure with a view to having an adequacy decision adopted for the Republic of Korea as soon as possible in the coming months.
This involves obtaining an opinion from the European Data Protection Board and the green light from a committee composed of representatives of the EU Member States. Once this procedure will be completed, the Commission will adopt the adequacy decision on the Republic of Korea.
For further information: Press Release
03/25/2021 – European Parliament | Resolution | GDPR enforcement
The European Parliament calls for improved implementation and enforcement of the GDPR.
For further information: Press Release
03/22/2021 – European Union Agency for Cybersecurity | Technical Guideline
The European Union Agency for Cybersecurity (ENISA) published a Technical Guidelines on Incident Reporting under the European Electronic Communications Code.
For further information: ENISA website
03/19/2021 – European Union Agency for Cybersecurity | Report | Microsoft Exchange vulnerabilities
The European Union Agency for Cybersecurity (ENISA) published a report relating to Microsoft Exchange vulnerabilities following active exploitation that has been observed on on-premises running Microsoft Exchange installations.
For further information: Press Release; ENISA situational report
03/18/2021 – European Data Protection Supervisor | Formal Comments | European Health Union Package
The European Data Protection Supervisor published its Formal Comments, dated 4 March 2021, on a package of three legislative proposals for a European Health Union.
For further information: Press Release; EDPS Formal Comments
03/16/2021 – European Data Protection Board | Work Programme 2021/2022
The European Data Protection Board (EDPB) published its Work Programme for 2021/2022 in which it lists Guidelines and other documents it intends to adopt.
The EDPB based its upcoming work on four pillars: (i) advancing harmonization and facilitating compliance; (ii) supporting effective enforcement and efficient cooperation between national supervisory authorities; (iii) a fundamental rights approach to new technologies; and (iv) the global dimension.
For further information: EDPB Work Programme 2021/2022
03/11/2021 – European Data Protection Supervisor | Opinion | Proposal for a NIS 2.0 Directive
The European Data Protection Supervisor (EDPS) published its Opinion 5/2021 on the Cybersecurity Strategy and the NIS 2.0 Directive.
In its Opinion, the EDPS welcomes the “Proposal for a NIS 2.0 Directive” which aims to replace the existing Directive on security of network and information systems.
For further information: Press Release; EDPS Opinion 5/2021
03/10/2021 – European Data Protection Board & European Data Protection Supervisor | Joint Opinion | Data Governance Act
The European Data Protection Board and the European Data Protection Supervisor adopted a joint opinion on the proposal for a Data Governance Act (DGA).
For further information: EDPB Press Release; EDPS Press Release; EDPB-EDPS Joint Opinion 03/2021
03/09/2021 – European Data Protection Board | Letter | Cloud services cybersecurity
The European Data Protection Board sent a letter to the European Union Agency for Cybersecurity (ENISA) providing recommendations on the draft cloud services cybersecurity scheme.
For further information: EDPB letter to ENISA
03/09/2021 – European Data Protection Board | Guidelines | Final versions
After public consultation, the EDPB adopted the final versions of (i) Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications and (ii) Guidelines 09/2020 on relevant and reasoned objection under GDPR.
For further information: EDPB Guidelines 01/2020 adopted after public consultation; EDPB Guidelines 09/2020 adopted after public consultation
03/09/2021 – European Data Protection Board | Guidelines | Virtual Voice Assistants
The EDPB adopted Guidelines on Virtual Voice Assistants which are opened for comments until 23 April 2021.
For further information: EDPB Guidelines 02/2021
03/09/2021 – European Data Protection Board | Statement | ePrivacy Regulation
The European Data Protection Board (EDPB) adopted a Statement on the ePrivacy Regulation.
It welcomes the agreed negotiation mandate adopted by the Council on 10 February 2021, but noted that this Regulation should complement the GDPR and not de facto change it.
For further information: EDPB Statement 03/2021
03/08/2021 – European Data Protection Supervisor | Opinion | Europol Regulation
The European Data Protection Supervisor published its Opinion on the proposal for amendment of the Europol Regulation, which aims, in particular, to broaden the scope of Europol’s mandate.
For further information: Press Release; EDPS Opinion 4/2021
03/16/2021 – Belgian Supervisory Authority | Tools | Compliance
The Belgian Supervisory Authority announced that it has released a set of new tools to help controllers, processors and Data Protection Officers with GDPR compliance.
For further information: APD website (in French)
03/05/2021 – Czech Supervisory Authority | Statement | Covid-19 employees testing
The Czech Supervisory Authority published a statement, updated on 26 March 2021, relating to the conditions under which employers can conduct data processing to comply with their obligation to test their employees with Covid-19.
For further information: UOOU website (in Czech)
03/22/2021 – French Supervisory Authority | Data breach notification
Following the fire which took place in an OVH data center in Strasbourg, the French Supervisory Authority published a reminder on the obligations regarding data breach notifications.
For further information: CNIL website (in French)
03/18/2021 – French Supervisory Authority | Q&A | Cookies
The French Supervisory Authority published a Q&A with more than 30 questions addressing practical issues related to the implementation of its Guidelines and Recommendations on cookies.
For further information: CNIL website (in French)
03/17/2021 – French Supervisory Authority | Investigation | Social network
The French Supervisory Authority opened an investigation against an audio social network (Clubhouse).
For further information: CNIL website (in French)
03/08/2021 – French Supervisory Authority | Evaluation program | Audience measurement tools
The French Supervisory Authority (CNIL) is inviting any provider of audience measurement tools to submit its tool to the CNIL’s evaluation of the consent exemption before 30 June 2021.
A specific form, with proper documentation, should be submitted to the CNIL. If the tool is “validated” by the CNIL, the tool will be referred to on the CNIL’s website and the provider will be able to display on the tool’s page that it has participated to the evaluation program proposed by the CNIL and is therefore in capacity to offer a tool exempted from the consent requirement in accordance with the guidelines issued by the CNIL.
For further information: CNIL website (in French)
03/02/2021 – French Supervisory Authority | Focus for 2021
The French Supervisory Authority (CNIL) published its priority topics for the investigations that it will conduct in 2021.
In particular, the CNIL will focus on: (i) cybersecurity of websites; (ii) security of health data; and (iii) compliance with the principles applicable to cookies and other trackers.
For further information: CNIL website (in French)
03/26/2021 – German Data Protection Conference | Opinion | COVID-19 contact tracing technologies
The German Data Protection Conference (DSK) published an opinion regarding the importance of compliance with data protection principles when developing COVID-19 contact tracing solutions.
In particular, the DSK criticized that there are no uniform, national regulations for digital contact tracing and emphasized that the principle of data minimization should always be adhered to when developing contact tracing technologies.
For further information: DSK website (in German)
03/25/2021 – German Federal Commissioner for Data Protection and Freedom of Information | Annual report
The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) published the annual activity report for data protection and freedom of information highlighting the 2020 activities of the BfDI.
For further information: BfDI website (in German)
03/16/2021 – German Federal Office for Information Security | Standard | Video conferencing
The Federal Office for Information Security (BSI) launched, on 16 March 2021, a public consultation on a draft of minimum standards for securing video conferencing services.
For further information: BSI website (in German)
03/10/2021 – Baden-Württemberg Supervisory Authority | Sanction | Accountability
The Baden-Württemberg Supervisory Authority imposed a fine of €300,000 against a German soccer club for a breach of the accountability principle provided by the GDPR.
For further information: Press Release (in German)
03/17/2021 – Irish Supervisory Authority | Correspondence | Schrems II
The Irish Supervisory Authority (DPC) published its correspondence with the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament (LIBE) in relation to two draft resolutions regarding the Schrems II case proceeding.
For further information: DPC website
03/11/2021 – Italian Supervisory Authority | Sanction | Adequate technical and organization measures
The Italian Supervisory Authority (Garante) issued a fine of €350,000 against the City of Rome and a fine of €60,000 against its processor, for failing to implement adequate technical and organizational measures when processing personal data of citizens and carrying out the processing without appropriate legal basis.
For further information: Garante decision against the City of Rome (in Italian); Garante decision against the City of Rome’s processor (in Italian)
03/11/2021 – Italian Supervisory Authority | Sanction | Unlawful disclosure and DPO designation
The Italian Supervisory Authority issued a fine of €75,000 against the Ministry of Economic Development for not appointing a data protection officer and having unlawfully disclosed on its website the resumes of more than 5,000 individuals.
For further information: Garante website (in Italian)
03/01/2021 – Italian Supervisory Authority | Statement | Covid-19 vaccination pass
The Italian Supervisory Authority announced that, in the absence of a legislative framework, the use in any form, by public or private entities providing services to the public, of apps or passes intended to distinguish vaccinated citizens from unavaccinated citizens against Covid-19 is to be considered illegitimate.
For further information: Garante website (in Italian)
03/31/2021 – Dutch Supervisory Authority | Sanction | Data breach notification
The Dutch Supervisory Authority published its decision, dated 10 December 2020, imposing a fine of €475,000 on a hotel booking website for late notification (delay of 22 days) of a data breach that affected more than 4,000 individuals.
For further information: AP website (in Dutch); AP decision (in Dutch)
03/08/2021 – Norwegian Supervisory Authority | Sanction | CCTV
The Norwegian Supervisory Authority imposed a fine of NOK 150,000 (approx. €14,700) against an electricity provider for installing a camera on the top of its building and broadcasting the images live on Internet, without having a legal basis to do so.
For further information: Datatilsynet website (in Norwegian); Datatilsynet decision (in Norwegian)
03/04/2021 – Polish Supervisory Authority | Sanction | Data breach notification
The Polish Supervisory Authority published a sanction, dated 11 January 2021, imposing a fine of PLN 136,000 (approx. €30,000) against a company for failure to report a data breach.
For further information: UODO website (in Polish); UODO decision (in Polish)
03/18/2021 – Spanish Supervisory Authority | Sanction | Data breach notification
The Spanish Supervisory Authority (AEPD) issued a fine of €600,000 against an airline company, for late notification (delay of 41 days) of a data breach of 1,5 million data records.
For further information: AEPD resolution (in Spanish)
03/11/2021 – Spanish Supervisory Authority | Sanction | Various GDPR non- compliances
The Spanish Supervisory Authority (AEPD) pronounced a fine of €8.15 million against a telecommunications operator for various GDPR non-compliances (e.g., transfers outside the EU without sufficient safeguards; no cross-reference of the numbers registered on the national “Do-Not-Call” register).
For further information: AEPD resolution (in Spanish)
03/09/2021 – Spanish Supervisory Authority | Appeal against a decision
The Spanish Supervisory Authority issued a decision by which it upheld the appeal filled by a social network fined for breaching the rules on cookies.
For further information: AEPD resolution (in Spanish)
03/09/2021 – Spanish Supervisory Authority | Sanction | Scoring
The Spanish Supervisory Authority imposed a fine of €50,000 against a credit scoring company for processing data related to individual’s assets solvency and credits, without informing them and with no legitimate purpose.
For further information: AEPD resolution (in Spanish)
03/23/2021 – UK communications regulator & UK Supervisory Authority | Joint plan | Nuisance calls and messages
The UK Office of Communications (Ofcom) published the updated 2021 joint action plan for nuisance and messages elaborated with the UK Supervisory Authority.
For further information: Press Release; Ofcom and ICO 2021 Joint plan
03/05/2021 – UK Supervisory Authority | Sanctions | Nuisance messages
The UK Supervisory Authority imposed fines totaling £330,000 (approx. €385,000) against two companies that sent nuisance text messages during the Covid-19 pandemic.
For further information: ICO website
03/02/2021 – UK Supervisory Authority | Reminder | Children’s Code
The UK Supervisory Authority published an article where it urges businesses to comply with the Children’s Code as it comes into force within 6 months.
For further information: ICO website
This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.