Gibson Dunn | Europe | Data Protection – July – August 2021

September 8, 2021

Click for PDF

Personal Data Watch


08/27/2021 – European Data Protection Board | Internal Document | ePrivacy Directive

OneTrust DataGuidance published an internal document adopted by the European Data Protection Board (EDPB) on criteria of territorial competence of supervisory authorities (SAs) to enforce Article 5(3) of the ePrivacy Directive.

When the processing is exclusively regulated by the national law provisions transposing Article 5(3) of the ePrivacy Directive, the EDPB considers that SAs competent for the enforcement of Article 5(3) of the ePrivacy Directive are entitled to exercise the powers conferred on them by their national law, whenever:

  • The controller/service provider is established in their territorial jurisdiction;
  • The processing is carried out in the context of the activities of an establishment located in their territorial jurisdiction, even when exclusive responsibility for collecting and processing belongs, for the entire territory of the European Union, to an establishment located in another Member State;
  • In the absence of controller/service provider or establishment in their territorial jurisdiction, the national law provides another criteria for its enforcement.

In any event, the measures taken should not:

  • Concern users located in a territorial jurisdiction for which the SA is not competent;
  • Prevent another competent SA to enforce the ePrivacy Directive in respect of its territorial jurisdiction.

For further information: Internal EDPB Document 04/2021

08/05/2021 – European Data Protection Board | Report | Data Protection Authorities’ Resources and Enforcement Actions

The European Data Protection Board published a report providing an overview on resources made available by Member States to the Data Protection Authorities and on enforcement actions by the Data Protection Authorities.

For further information: EDPB Website

07/26/2021 – European Union Agency for Cybersecurity | Annual Reports | Telecom & Trust Services Security Incidents

The European Union Agency for Cybersecurity (ENISA) published its annual reports 2020 on Telecom Security Incidents and Trust Services Security Incidents.

For further information: ENISA Website

07/15/2021 – European Data Protection Board | Urgent Binding Decision

The European Data Protection Board adopted its first urgent binding decision pursuant to Art. 66(2) of the GDPR.

As a reminder, the decision follows a request from the Hamburg Supervisory Authority after it ordered a provisional ban on the processing activities of a controller.

The Board concludes that the conditions to demonstrate the existence of an infringement and an urgency are not met. Therefore, the controller’s Lead Supervisory Authority does not need to adopt any final measures in this case, but is requested to carry out a statutory investigation as a matter of priority.

For further information: EDPB Website

07/07/2021 – European Data Protection Board | Guidelines | Codes of Conduct | Virtual Voice Assistant | Concepts of Controller and Processor

The European Data Protection Board adopted three sets of Guidelines, providing clarifications on (i) Codes of Conduct as a tool for transfers, (ii) Virtual Voice Assistants, and (iii) the concepts of Controller and Processor.

For further information: EDPB Website


07/05/2021 – Croatian Supervisory Authority | Sanction | Data Breach | Video Surveillance

The Croatian Supervisory Authority issued two administrative fines, respectively against (i) a Processor, regarding a data breach, and (ii) a Controller, for failing to provide adequate information about a video surveillance system.

For further information: AZOP Website


08/21/2021 – Danish Supervisory Authority | Statement | Inspections

The Danish Supervisory Authority stated that it is currently conducting written inspections of 30 organisations.

The questions aim to determine the level of compliance of the organisations in order to assess if further investigation should be carried out.

For further information: Datatilsynet Website

08/20/2021 – Danish Supervisory Authority | Guidance | Bodycams

The Danish Supervisory Authority clarified the rules applicable to the use of body-worn cameras (bodycams), especially in the context of employment.

For further information: Datatilsynet Website


08/18/2021 – French Supervisory Authority | Guidance | Biometric Devices for Access to School Canteens

The French Supervisory Authority issued guidance on the use of biometric devices for access to school canteens.

The Guidance highlights that the consent of the student, or the legal guardian where the student is a minor, is required. It must also be possible to freely refuse the use of this device.

For further information: CNIL Website

08/10/2021 – French Supervisory Authority | Recommendations | Attacks on Email Systems

The French Supervisory Authority provided recommendations on how to prevent cyber-attacks directed at email systems, and how to react in the event of such attack.

For further information: CNIL Website

07/27/2021 – French Supervisory Authority | Sanction | Cookies

The French Supervisory Authority fined a company €50,000 for automatically placing advertising cookies on users’ devices when accessing its website despite their refusal or without obtaining their consent.

For further information: CNIL Website

07/26/2021 – French Supervisory Authority | Sanction | Lobbying

The French Supervisory Authority (CNIL) fined a company €400,000 for failing to inform data subjects of the collection of their personal data for lobbying purposes.

The company held a file containing information on politicians and other individuals likely to influence the debate or public opinion, and rating their influence, credibility and support for the company.

For further information: CNIL Website

07/20/2021 – French Supervisory Authority | Sanction | Data Retention and Right of Information

The French Supervisory Authority fined an insurance company €1,750,000 for not complying with data retention periods and transparency requirements.

The company retained data relating to millions of people for an excessive period of time and failed to comply with information obligations in the context of cold calling campaigns.

For further information: CNIL Website

07/19/2021 – French Supervisory Authority | Formal Notice | Cookies

The French Supervisory Authority stated that it has issued a second series of formal notices against around 40 organisations which do not allow users to refuse cookies as easily as to accept them.

As a reminder, around 20 formal notices were issued by the CNIL in May 2021 regarding the same issue.

For further information: CNIL Website

07/16/2021 – French Supervisory Authority | Guidance | Insurance Sector

The French Supervisory Authority released guidance on the protection of personal data in the insurance sector.

The guidance covers in particular the qualifications of organisations in this sector, the legal bases applicable to key processing activities, data retention periods, data minimisation and data subjects rights, as well as profiling in the insurance sector.

For further information: CNIL Website

07/16/2021 – French Supervisory Authority | Accreditation | Monitoring Body

The French Supervisory Authority granted its first accredition of a monitoring body.

The accredited body will monitor compliance with the code of conduct designed for cloud infrastructure service providers.

For further information: CNIL Website


08/31/2021 – German Federal Supervisory Authority | Statement | Employer Inquiries into Vaccination Status of Employees

The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) published a statement urging the German legislator to enact a uniform nationwide regulation addressing the issue of employer inquiries into the vaccination and test status of employees.

The BfDI makes clear that the regulation should be data protection-friendly and respect the right of informational self-determination of the employees. In the BfDI’s view, it might not even be necessary for the employer to know which specific status an employee has, i.e. whether he or she is vaccinated or tested.

For further information: BfDi Website

08/09/2021 – Berlin Supervisory Authority | Statement | Unlawful Website Tracking

The Berlin Supervisory Authority sent a written request to 50 Berlin-based organisations to bring tracking processes on their websites in line with the applicable data protection law. Otherwise, the Authority will initiate formal investigation procedures, which can lead to an order or a fine.

The large-scale campaign concerns companies whose cookie banners were found to be especially deficient, which have a comparatively large number of users or who may be processing sensitive data. Companies from various sectors are affected, such as e-commerce, real estate, finance, social networks, legal services, software, health, education and comparison sites.

For further information: BInBDI Website

07/19/2021 – North Rhine-Westphalia Supervisory Authority | Recommendations | International Data transfer

The North Rhine-Westphalia Supervisory Authority released its revised data transfer recommendations based on the new Standard Contractual Clauses adopted by the European Commission.

The LDI NRW highlights that organisations must first determine the legal basis of the processing and transfer before identifying the appropriate transfer mechanism.

For further information: LDI NRW Website

07/14/2021 – Baden-Württemberg Supervisory Authority | FAQ | Concepts of Controller and Processor

The Baden-Württemberg Supervisory Authority released its updated FAQ on the concepts of Controller and Processor based on the new EDPB Guidelines on the same.

For further information: LfDI BW Website

07/08/2021 – German Federal Court of Justice | Ruling | Access Requests Scope

The German Federal Court of Justice issued a ruling regarding the scope of data subject access requests under Art. 15 GDPR that extends the scope of such requests as opposed to previous German case law.

In particular, the Court notes that access claims are not limited to “essential biographical information”. The Court further states that the data subject can also assert his or her access right even if he or she is already aware of the information requested (e.g., in case of correspondence between the data subject and the controller) and the access request can also encompass internal notes or internal communications related to the data subject.

For further information: German Federal Court of Justice Website


08/28/2021 – Irish Supervisory Authority | Guidance | Redacting Documents and Records

The Irish Supervisory Authority published guidance on redacting documents and records, in the context of responding a data subject access request.

As a reminder, redaction is the process of concealing information while leaving intact the rest of the document or record containing it.

For further information: DPC Guidance

07/01/2021 – Irish Government | Guidance | Remote Working

The Irish Government published guidance relating to remote working, including recommendations as regards data protection.

The guidance refers to useful resources on this topic.

For further information: Government guidance


08/02/2021 – Italian Supervisory Authority | Sanction | Food Delivery Platforms | Algorithms

The Italian Supervisory Authority announced that it has fined two food delivery platforms, respectively €2,5 million and €2,6 million based on the lack of transparency in the use of algorithms and/or the disproportionate collection of workers’ data.

The decision finds, inter alia, that companies failed to adequately inform their employees on the functioning of the system and had no procedures in place to enforce the right to obtain human intervention, express one’s point of view and contest the decisions taken by way of those algorithms.

The sanction also orders the two company to bring their processing into compliance in light of the decision.

For further information: Garante Website | Garante Website

07/10/2021 – Italian Supervisory Authority | Guidelines | Cookies

The Italian Supervisory Authority published its new guidelines on cookies.

The new guidelines replace the 2014 version. Organisations have six months to comply with these new rules.

For further information: Garante Website

07/02/2021 – Italian Supervisory Authority | Annual Report

The Italian Supervisory Authority published its 2020 annual report.

The report outlines the context of the Covid-19 pandemic and the necessity to balance the rights of individuals with functional and effective data processing.

For further information: Garante Website


07/16/2021 – Luxembourg Supervisory Authority | Sanction | Data Breach

The Luxembourg Supervisory Authority imposed the biggest ever European Union privacy fine of €746 million, as revealed by Bloomberg.

The concerned organisation disputes the existence of the data breach that led to the fine and plans to appeal.

For further information: Bloomberg Website


08/20/2021 – Maltese Supervisory Authority | Guidance | Cookies

The Maltese Supervisory Authority issued a guidance note on cookies consent requirements.

The note specifies the applicable legal framework, practices which are not considered to be compliant with data protection rules and example of a good-practice approach to ensure compliance.

For further information: IDPC guidance


07/15/2021 – Dutch Supervisory Authority | Guidance | Cross-Sectoral Blacklists

The Dutch Supervisory Authority released guidance on cross-sectoral blacklists.

The guidance aims to clarify the rules applicable to the practice of sharing lists of criminals, for instance shoplifters, with other organisations.

For further information: AP Website


08/12/2021 – Norwegian Supervisory Authority | Sanction | Unlawful Processing

The Norwegian Supervisory Authority proposed to fine a beauty salon NOK 100,000 (approx. €10,000) for failing to inform on its use of cameras.

For further information: Datatilsynet Website


08/06/2021 – Romanian Supervisory Authority | Annual report

The Romanian Supervisory Authority published its 2020 annual report.

The report outlines that the Authority imposed a total of 29 fines reaching RON 892,116 (approx. €180,000), as well as 64 warnings and 65 corrective measures.

For further information: ANSPDCP Website


08/03/2021 – Spanish National Cybersecurity Institute | Guidance | Remote Working

The Spanish National Cybersecurity Institute published guidance on remote working.

The guidance addresses the definition of the company policy on the topic, security objectives and threats, remote access methods, as well as protection of the servers and devices.

For further information: AEPD Website


08/27/2021 – Swiss Supervisory Authority | Statement | Standard Contractual Clauses Recognition

The Swiss Supervisory Authority published a statement recognising the new Standard Contractual Clauses as the basis for personal data transfers to a country without an adequate level of data protection, provided that the necessary adaptations and amendments are made for use under Swiss data protection law.

For further information: FDPIC Website

United Kingdom

08/19/2021 – UK Supervisory Authority | Approval | Certification Scheme

The UK Supervisory Authority approved the first UK GDPR certification scheme criteria.

The purpose of this certification is to help organisations demonstrate compliance with data protection rules and, in turn, inspire trust and confidence in the people who use their products, processes and services.

For further information: ICO Website

08/19/2021 – UK Supervisory Authority | Sanction | Illegal Pensions Calls

The UK Supervisory Authority fined a marketing company £50,000 (approx. €60,000) for making almost 100,000 direct marketing calls about their pensions.

For further information: ICO Website

08/11/2021 – UK Supervisory Authority | Consultation | International Data Transfer

The UK Supervisory Authority launched a public consultation on its draft international data transfer agreement (IDTA) and guidance.

The IDTA will replace the current Standard Contractual Clauses to take into account the Schrems II ruling.   

For further information: ICO Website

08/02/2021 – UK Supervisory Authority | Sanction | Illegal Marketing Calls

The UK Supervisory Authority fined a nuisance call blocker company £170,000 (approx. €200,000) for making almost 200,000 illegal marketing calls.

For further information: ICO Website

07/01/2021 – UK Supervisory Authority | Sanction | Illegal Nuisance Calls

The UK Supervisory Authority fined a company £200,000 (approx. €230,000) for making more than 11 millions unlawful claims management calls.

For further information: ICO Website


08/10/2021 – None of Your Business | Formal Complaints | Cookies

The non-governmental organisation None Of Your Business filed 422 formal complaints with Supervisory Authorities in 10 countries regarding alleged breaches of cookie banner requirements.

For further information: NOYB Website

This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:

© 2021 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.