Gibson Dunn | Europe | Data Protection – February 2021

February 12, 2021

Click for PDF

Personal Data Watch


01/15/2021 – European Data Protection Board – European Data Protection Supervisor | Joint Opinions | Standard Contractual Clauses

The European Data Protection Board and the European Data Protection Supervisor adopted joint opinions on the new sets of Standard Contractual Clauses (SCCs) drafted by the European Commission.

One opinion relates to the SCCs between controllers and processors and the other one to the SCCs for the transfer of personal data to third countries.  With respect to SCCs for data transfer and from a general perspective, the opinion highlights that while the new SCCs enable to reinforce the level of protection of data subjects, several provisions could be improved or clarified.

For further information: EDPB Press Release | EDPS Press Release | Joint opinion 1/2021 | Joint opinion 2/2021

01/14/2021 – European Data Protection Board | Guidelines | Data breach notification

The European Data Protection Board (EDPB) published its draft of Guidelines (01/2021) on Examples regarding Data Breach Notification.

The EDPB outlines that this document is complementary to the guidelines WP250 on Personal data breach notification under the GDPR, as last revised and adopted by the Article 29 Working Party on 6 February 2018. This draft is subject to public consultation until 2 March 2021.

For further information: EDPB website

01/13/2021 – Court of Justice of the EU | AG Opinion | GDPR’s “one-stop shop” and Cooperation and Consistency Mechanism

The Advocate-General (AG) of the Court of Justice of the European Union considers that the “lead supervisory authority” in the Member State where a data controller or processor has its main EU establishment has a general competence to start court proceedings for GDPR infringements in relation to cross-border data processing.

The other national supervisory authorities concerned are only entitled to commence such proceedings in their respective Member State in situations where the GDPR specifically allows them to do so.

For further information: Press release on the AG Opinion | AG Opinion

01/13/2021 – European Data Protection Board | Update | Brexit

The European Data Protection Board updated its statement on Brexit and its Information Note on data transfers to the UK after the transition period, that were initially published on 15 December 2020.

For further information: Statement on Brexit | Information note

01/12/2021 – European Court of Human Rights | Judgment | Respect of private life by a public authority

The European Court of Human Rights (ECHR) decided that the publication of the applicant’s personal data on the website of the Hungarian tax authority for failing to fulfil his tax obligations did not infringe Article 8-1 of the European Convention on Human Rights on respect for private life.

For further information: Information Note on the ECHR’s case-law | ECHR judgment

01/12/2021 – European Data Protection Supervisor | Online tool | Compliance

The European Data Protection Supervisor (EDPS) released an open-source software called “Website Evidence Collector” for the automation of privacy and personal data protection inspections of websites.

In particular, this tool collects evidence of personal data processing, such as cookies, or requests to third parties when navigating on a website.

For further information: EDPS website

01/05/2021 – Council of the European Union | Regulation proposal | e-Privacy

The Portuguese presidency of the Council of the European Union adopted a new version of the e-Privacy Regulation proposal.

This 14th draft of the proposal intends to simplify the text and further align it with the GDPR. The transition period has been shortened from 24 to 12 months.

For further information: New draft of the proposal

Czech Republic

01/05/2021 – Czech Supervisory Authority | Sanction | Marketing communications

The Czech Supervisory Authority imposed several sanctions amounting to CZK 3,111,000 (approx. € 118,000) against 11 different companies that used personal data in an abusive manner by sending them unsolicited marketing communications by post mail.

For further information: UOOU website (in Czech)


01/21/2021 – Danish Supervisory Authority | Investigation | TikTok

The Danish Supervisory Authority announced that it will hand over the investigation it has started on TikTok to the Irish Supervisory Authority, in its capacity of lead supervisory authority.

For further information: Datatilsynet website (in Danish)


01/27/2021 – French Supervisory Authority | Sanctions | Security

The French Supervisory Authority (CNIL) imposed two sanctions of € 150,000 and € 75,000 respectively against a controller and its processor for not having implemented appropriate measures to face credential stuffing attacks on the controller’s website.

For further information: CNIL website (in French)

01/12/2021 – French Supervisory Authority | Sanction | Drone surveillance

The French Supervisory Authority (CNIL) issued a call to order against the French Ministry of the Interior (as the CNIL cannot impose financial fines against the State) for having illegally conducted surveillance operations on the population by drone.

The CNIL indicated that the process implemented by the Ministry did not rely on any legal provision and did not conduct any data protection impact assessment, although it was mandatory to so in this context. The Ministry also failed to comply with its obligation to inform data subjects.

For further information: CNIL website (in French)

12/30/2020 – French Supervisory Authority | Guidance | Covid-19

The CNIL published a guidance for the collection of personal data regarding the vaccination campaign against Covid-19.

For further information: CNIL website (in French)


01/27/2021 – German Federal Government | Data strategy

The German Cabinet adopted the Data Strategy of the German Federal Government.

The German Federal Government’s Data Strategy consists of over 240 measures and intends to make Germany a “trailblazer in the innovative use of data and data sharing in Europe”. Its core fields of action include (i) establishing an effective and sustainable data infrastructure, (ii) enhancing responsible and innovative data use, (iii) establishing “data culture” and “data competency”, and (iv) reorganizing public administration to delivery high quality digital public services.

For further information: Press Release

01/08/2021 – Lower-Saxony Supervisory Authority | Sanction | Video surveillance

The Supervisory Authority of Lower-Saxony imposed a sanction of 10,4 million euros against a company selling electronic products online for having implemented excessive and unlawful videosurveillance systems on its employees and some of its clients.

According to the Supervisory Authority, videosurveillance system which sole purpose is to identify criminal offences is lawful only within a limited period of time and only if there is a reasonable suspicion towards certain individuals. The amount of the fine (and its largely turnover-focused determination) has been critized publicly and is expected to be challenged in court.

For further information: Press Release (in German)

01/04/2021 – German network regulation Authority | Sanction | Nuisance calls

The German network regulation Authority (Bundesnetzagentur) imposed a sanction of €145,000 against a call center for making mass nuisance and direct marketing calls without the consent of individuals.

The call center operator has appealed the fining decision.

For further information: Press Release (in German)


01/25/2021 – Italian Supervisory Authority | Sanction | Unlawful processing

The Italian Supervisory Authority imposed a fine of € 500,000 against the city of Rome for having conducted unlawful processing related to users’ and employees’ data, in the context of its appointment system.

For further information: Press Release (in Italian) | Garante decision against the city of Rome (in Italian) | Garante decision against city of Rome’s contractor (in Italian)

01/22/2021 – Italian Supervisory Authority | Action | TikTok

The Italian Supervisory Authority (Garante) ordered TikTok to stop all data processing related to users whose age could not be verified.

In December 2020, the Garante had already notified to TikTok several breaches of the GDPR, among which the insufficient measures taken to ensure specific protection to children under 13.

This limitation order lasts until 15 February 2021, date on which the Garante will reassess the case and the decision shall be notified to the Irish Supervisory Authority, acting as the lead supervisory authority.

For further information: Press Release | Decision of the Garante (in Italian)


01/14/2021 – Norwegian Supervisory Authority | Sanction| Data sharing

The Norwegian Supervisory Authority (Datatilsynet) sanctioned two companies to a fine of NOK 400,000 each (approx. € 38,700) for illegally sharing personal data with third parties.

The first sanction, published on 12 January 2021, concerns an employer who activated the automatic transfer of its employee mail box while he was on leave.

The second sanction, published on 14 January 2021, relates to a shop manager who recorded video surveillance images and shared them online.

For further information: 1st sanction Press Release (in Norwegian) | 2nd sanction Press Release (in Norwegian)

01/07/2021 – Norwegian Supervisory Authority | Sanction| Legal basis

The Norwegian Supervisory Authority (Datatilsynet) imposed three different sanctions against banks which conducted credit scoring operations without legal basis in relation to individuals who were not affiliated in any way to these banks.

The sanctions imposed were respectively of NOK 75,000 (approx. €7,000); NOK 1M (approx. €96,000); and NOK 100,000 (approx. €9,600).

For further information: Decision against Gveik AS (in Norwegian) | Decision against Innovation Norway (in Norwegian) | Decision against Lindstrand Trading AS (in Norwegian)


12/31/2020 – Polish Supervisory Authority | Sanction | Security

The Polish Supervisory Authority (UODO) imposed a fine of PLN 1,000,000 (approx. €250,000) to a Fintech company that did not implement appropriate technical and organizational measures despite having received alerts regarding security breaches, which lead to a data breach (loss of confidentiality).

For further information: UODO website (in Polish)


01/21/2021 – Spanish Supervisory Authority | Sanction | Legal basis

The Spanish Supervisory Authority (AEPD) imposed a sanction of €50,000 against an electricity and gas provider that processed personal data without the consent of individuals.

For further information: AEPD resolution n°00232/2020 (in Spanish)

01/13/2021 – Spanish Supervisory Authority | Sanction | Legal basis and transparency

The Spanish Supervisory Authority (AEPD) imposed a sanction of €6,000,000 against a Spanish bank for failing to obtain consent and for the breach of its transparency obligations.

For further information: AEPD resolution n°00477/2019 (in Spanish)

01/04/2021 – Spanish Supervisory Authority | Sanction | Data accuracy and integrity

The Spanish Supervisory Authority (AEPD) imposed a sanction of €90,000 against an electronic communications network provider for the breach of the accuracy principle (article 5.1(d) of the GDPR) and the integrity and confidentiality principle (article 5.1(f) of the GDPR).

For further information: AEPD resolution n°00415/2020 (in Spanish)


01/22/2021 – Swiss Supervisory Authority | Article | Covid-19

The Swiss Supervisory Authority (PFDT) published an article on data protection requirements when companies collect health data in the context of the pandemic.

The PFDT specifies that companies shall comply not only with public law rules related to protection plans against the pandemic but also with data protection rules.

For further information: PFDT Website (in French)

United Kingdom

01/22/2021 – UK Supervisory Authority | Sanctions | Nuisance calls

The UK Supervisory Authority (ICO) issued fines totaling £480,000 (approx. €540,000) to four different companies for making unlawful calls to individuals who expressed their objection to receive such calls by registering into the UK “Do Not Call” Register (the Telephone Preference Service or TPS).

For further information: ICO website


01/22/2021 – UK Supervisory Authority | Article | Data transfers

The UK Supervisory Authority (ICO) published an article on the consequences of the UK-EU Trade Agreement on data protection.

In particular, the ICO highlights that the agreement contains short-term provisions allowing data transfers between the EU and the UK but also long-term commitments, by maintaining high standards of data protection.

For further information: ICO website

01/17/2021 – UK Supervisory Authority | Investigation | AdTech

The UK Supervisory Authority (ICO) announced it has resumed its investigations regarding real-time bidding (RTB) and the AdTech industry.

This investigation was interrupted in May 2020 due to the need to prioritize ICO activities on the Covid-19 pandemic.

For further information: ICO website

01/08/2021 – UK Competition and Markets Authority | Investigation | Cookies

The UK Competition and Markets Authority announced it has opened an investigation in order to verify whether or not the Google’s “Privacy Sandbox” project distorts competition within the ad industry.

The “Privacy Sandbox” objective is to disable third-party cookies on Chrome browser and to replace them by new tools better protecting data protection.

For further information: Press Release | UK Government website

01/08/2021 – UK Supervisory Authority | Sanction | Computer Misuse Act prosecution

Following an investigation by the UK Supervisory Authority (ICO), an employee of a company in the motor industry has been sentenced to 8 months’ imprisonment and 2 years suspension for transferring personal data to an accident claims management firm without authorization.

The personal data that have been wrongfully transmitted included partial names, mobile phone numbers and registration numbers. Evidences showed these data were used to make nuisance calls.

For further information: ICO website


01/25/2021 – None Of Your Business | Appeal | Data transfers

None Of Your Business (NOYB) announced that it has filed an administrative action before the Luxembourg courts against the Luxembourg Supervisory Authority (CNPD).

Such action is due to the refusal of the CNPD to take over two complaints from NOYB regarding controllers established in the United States while, according to NOYB, the CNPD stated that the GDPR applied to these companies.

For further information: Press Release

This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:

© 2021 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.