June 8, 2021
06/04/2021 – European Commission | Standard Contractual Clauses
The European Commission adopted its final sets of Standard Contractual Clauses (SCCs), issued on 4 June and published in the Official Journal of the EU on 7 June 2021: the first to regulate the relationship between controller and processor in accordance with the requirements of Article 28 and the second to carry out international data transfers to a third country in the absence of an adequacy decision under Article 46 of the GDPR.
Previous SCCs on international data transfers will be repealed after 3 months from the entry into force of the new clauses, so that, until 27 September 2021, it is still possible to rely on the previous SCCs, even for new contract/processing. In addition, for contracts concluded before 27 September 2021, the parties could still rely on the previous SCCs until the end of an additional 15 months transitional period (until 27 December 2022) provided the processing remain unchanged and reliance on previous SCCs ensures that the transfer is subject to appropriate safeguards.
A specific Gibson Dunn Client Alert will be published soon in order to provide further details regarding these new sets of SCCs.
For further information: Press Release | SCCs for controllers and processors | SCCs for international transfers
05/19/2021 – European Data Protection Board | Letter | AML-CFT
The European Data Protection Board published a letter to the European Commission, dated 19 May 2021, relating to the upcoming Anti-Money Laundering / Combating the Financing of Terrorism (AML-CFT) legal framework.
This letter follows the adoption by the EDPB in December 2020 of a Statement on the protection of personal data processed in relation to the prevention of the use of the financial system for the purposes of money laundering and terrorist financing, as well as the adoption by the European Commission of an Action Plan for a comprehensive Union policy on preventing money laundering and terrorist financing and the launch of a public consultation in May 2020.
For further information: EDPB letter to the European Commission
05/27/2021 – European Data Protection Supervisor | Investigations | Data transfers
The European Data Protection Supervisor announced that it has opened two investigations on the use by European institutions of cloud services providers in the US considering the “Schrems II” ruling .
For further information: Press Release
05/25/2021 – European Data Protection Board | Letter | Main establishment
The European Data Protection Board published its response letter, dated 19 May 2021, following questions asked by a non-profit organization advocating for privacy on the internet, in relation to the identification of a controller’s main establishment in the EU under the GDPR.
For further information: EDPB letter to Access Now
05/21/2021 – European Data Protection Board | Letter | Data transfers to international organizations
The European Data Protection Board published a letter, dated 19 May 2021, sent to the United Nations.
In particular, the letter focuses on data transfers from the EEA to international organizations outside the EEA and announced the creation of a dedicated Task Force in order to discuss the matter, where the participation of the United Nations representatives is welcomed.
For further information: EDPB letter to the UN
05/20/2021 – European Parliament | Resolution | Data transfers
The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) published a resolution calling the European Commission to set clear guidelines on transfers of personal data to the US, in line with the Schrems II ruling.
For further information: Press Release
05/19/2021 – European Data Protection Board | Opinions | Codes of conduct
The European Data Protection Board adopted two Article 64 GDPR opinions relating to draft decisions on transnational Codes of Conduct submitted by the French (CNIL) and the Belgian (APD) Supervisory Authorities.
The EDPB is of the opinion that both draft codes comply with the GDPR. According to the GDPR, adherence to approved codes of conduct may be used as an element to demonstrate legal compliance.
For further information: EDPB Opinion 16/2021 on APD’s draft decision | EDPB Opinion 17/2020 on CNIL’s draft decision
05/19/2021 – European Data Protection Board | Recommendations | Credit card storage
The European Data Protection Board adopted Recommendations relating to the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions.
For further information: EDPB Recommendations 02/2021
05/19/2021 – European Data Protection Board | Statement | Data Governance Act proposal
The European Data Protection Board adopted a Statement on the Data Governance Act proposal (DGA).
For further information: EDPB Statement 05/2021
05/11/2021 – European Parliament | Resolution | UK Adequacy decision
Members of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) adopted a resolution in which they urge the European Commission to amend its draft adequacy decision on the UK.
For further information: Press Release
05/05/2021 – European Union Agency for Cybersecurity | Recommendations | Connected vehicles
The European Union Agency for Cybersecurity published an in-depth analysis on the cybersecurity challenges faced by the connected and automated mobility sector and provides actionable recommendations to mitigate them.
For further information: Press Release | ENISA Recommendations
05/05/2021 – Danish Supervisory Authority | Guidance | Consent
The Danish Supervisory Authority updated its guidance on consent in light of the GDPR.
For further information: Datatilsynet website (in Danish) | Datatilsynet guidance (in Danish)
05/28/2021 – French Supervisory Authority | Draft recommendation | Data logging
The French Supervisory Authority issued a draft recommendation, dated 29 April 2021, on log files in order to help controllers putting in place appropriate measures.
The document is opened for public consultations until 23 July 2021.
For further information: CNIL website (in French) | CNIL draft recommendation (in French)
05/25/2021 – French Supervisory Authority | Formal notices | Cookies
The French Supervisory Authority announced that it has issued approximately 20 formal notices to organizations, including international digital providers and public organizations, that are not enabling users to refuse cookies as easily as accepting them.
For further information: CNIL website (in French)
05/25/2021 – French Supervisory Authority | Guidance | Social and health care sector
The French Supervisory Authority announced that it has elaborated, along with the National Union of Family Associations, a guide relating to GDPR compliance in the social and health care sector.
For further information: CNIL website (in French) | Unaf guide (in French)
05/18/2021 – French Supervisory Authority | Annual Report
The French Supervisory Authority (CNIL) published its Annual Report for the year 2020.
In particular, the CNIL highlights the key numbers of its activity in 2020 which show a high number of complaints and an increase of data breaches reported. The CNIL also focuses on the new rules on cookies, cybersecurity and digital sovereignty.
For further information: CNIL website (in French) | CNIL 2020 Annual Report (in French)
05/12/2021 – French Supervisory Authority | Opinion | Covid-19 passport
The French Supervisory Authority issued an opinion on the draft law relating to the implementation of the Covid-19 passport which aims to allow the access to some public places and large-scale gatherings.
For further information: CNIL website (in French) | CNIL opinion (in French)
05/07/2021 – French Supervisory Authority | Standard | Traffic violations
Following public consultation, the French Supervisory Authority published the final version of its standard, adopted on 12 April 2021, relating to the designation of drivers of vehicles belonging to a company when they commit a traffic violation.
For further information: CNIL website (in French) | CNIL standard (in French)
05/04/2021 – French Supervisory Authority | Formal notice closure | Smart meters
The French Supervisory Authority (CNIL) issued a decision closing the formal notice of 31 December 2019 sent to an electricity provider relating to the processing of personal data through LINKY meters.
For further information: CNIL website (in French) | CNIL decision (in French)
06/01/2021 – German Supervisory Authorities | Investigation | International Data Transfers
Several German Supervisory Authorities (among them the Berlin, Brandenburg, Bavarian, Rhineland-Palatine and Lower Saxony Supervisory Authorities) initiated a coordinated investigation into international data transfers of several companies within their respective jurisdictions.
The Supervisory Authorities released statements that they sent coordinated questionnaires to several companies. They have also clearly stated that the investigation aims to determine whether the requirements set up by the Court of Justice of the European Union (CJEU) in its Schrems II ruling of last year are being complied with, and to enforce these requirements in case any deficiencies are discovered. In this regard, the Supervisory Authorities point out that the CJEU has held in its ruling, that data protection authorites must suspend or even prohibit a transfer of personal data to a third country, which is not in line with the GDPR.
For further information: Berlin DPA press release (in German); Brandenburg DPA press relase (in German) | Bavaria DPA press release (in German) | Rhineland-Palatine DPA press release (in German) | Niedersachen DPA press release (in German) | Joint questionnaire (in German)
05/28/2021 – German Legislator | New Law | Data Protection and Privacy in Telecommunications and Telemedia Act
The German Parliament (Bundestag) and Federal Council (Bundesrat) have passed a new privacy law aimed at telecommunications related data.
The Telecommunications and Telemedia Data Protection Act (TTDSG) aims to modernize German telecommunications law and is intended to create a comprehensive regulation on data privacy in telecommunications and telemedia. While there already existed various provisions in this area, they were scattered throughout different laws and Germany had also failed to fully implement the requirements of European law (e.g. on the use of website cookies). Notably, the TTDSG, together with another new law, the Telecommunications Modernization Act (TKMoG) implement requirements of the European Electronic Communications Code (EECC) and the e-Privacy Directive into German law and harmonize them with the GDPR. The new law will become effective on December 1, 2021.
For further information: German Bundestag website (in German) | German Bundesrat website (in German)
05/27/2021 – Lower Saxony Supervisory Authority | Annual Report
The Lower Saxony Supervisory Authority published its Annual Report for the year 2020.
For further information: LfD Niedersachsen website (in German)
05/26/2021 – Baden-Württemberg Supervisory Authority | Investigation | Facial recognition technology
Face recognition technology remains a topic of increased scruitiny. The Baden-Württemberg Supersvisory Authority (LfDI) has initiated proceedings against a foreign facial recognition technology service provider and sent a detailed investigation questionnaire.
For further information: LfDI press release (in German)
05/25/2021 – Bavarian Supervisory Authority | Annual Report
The Bavarian Supervisory Authority published its Annual Report for the year 2020.
For further information: BayLfD website (in German) | BayLfD Annual Report (in German)
05/12/2021 – Rhineland-Palatinate Supervisory Authority | Statement | Data transfers
The Rhineland-Palatinate Supervisory Authority urges organizations to comply with the “Schrems II” ruling of the Court of Justice and to prevent violations of data transfer rules to non-European countries.
For further information: LfDI Rheinland-Pfalz website (in German)
05/17/2021 – Hellenic Supervisory Authority | Sanction | Unlawful processing and right to erasure
The Hellenic Supervisory Authority issued a fine of € 10,000 against a municipality for processing personal data without legal basis and failing to respect individuals’ right to erasure despite such requests.
For further information: HDPA website (in Greek) | HDPA decision (in Greek)
05/14/2021 – Irish Supervisory Authority | Sanction | Technical and organizational measures
The Irish Supervisory Authority published a decision dated 23 March 2021 where it imposed a fine of € 90,000 against a credit reference agency for failing to implement appropriate technical and organizational measures following a data breach that led to the disclosure of 1,062 inaccurate individuals’ accounts to financial institutions or data subjects, due a technical error in a code.
For further information: DPC website | DPC decision
05/24/2021 – Italian Supervisory Authority | Guidance | Data Protection Officers
The Italian Supervisory Authority issued new guidance relating to the designation, the position and the duties of Data Protection Officers (DPOs) in the public sectors and updated its FAQ on DPOs in the private sector.
For further information: Garante website (in Italian) | Garante guidance (in Italian) | Garante FAQ (in Italian)
05/19/2021 – Italian Supervisory Authority | Sanction | Adequate protection
The Italian Supervisory Authority published a decision dated 15 April 2021 where it fined the city of Palermo € 40,000 for not having adequately protected personal data.
For further information: Garante website (in Italian) | Garante decision (in Italian)
05/19/2021 – Italian Supervisory Authority | Sanction | Unlawful processing of employees’ data
The Italian Supervisory Authority published a decision, dated 15 April 2021, where it fined a company € 40,000 for carrying out unlawful processing of its employees’ data.
For further information: Garante website (in Italian) | Garante decision (in Italian)
05/14/2021 – Italian Supervisory Authority | Guidance | Vaccination
The Italian Supervisory Authority issued guidance relating to the processing of personal data as part of the Covid-19 vaccination in the workplace.
For further information: Garante website (in Italian) | Garante guidance (in Italian)
05/12/2021 – Italian Supervisory Authority | Tik Tok and children data
Following Tik Tok commitments to the Italian Supervisory Authority (Garante) relating to children data processing, the Garante announced that Tik Tok took additional measures to keep children under 13 off the platform.
For further information: Garante website
05/06/2021 – Luxembourg Supervisory Authority | Certification criteria
The Luxembourg Supervisory Authority published its updated certification criteria for the “GDPR-Certified Assurance Report-based Processing Activities” under Article 42(1) of the GDPR.
The document is opened for public consultation until 15 June 2021.
For further information: CNPD website (in French); CNPD certification criteria
05/12/2021 – Dutch Supervisory Authority | Sanction | Representative designation
The Dutch Supervisory Authority published a decision dated 10 December 2020 where it imposed a fine of € 525,000 against an international platform provider for not having appointed an EU representative, which made difficult for data subjects to exercise their rights.
For further information: AP website (in Dutch) | AP decision (in Dutch)
05/20/2021 – Norwegian Supervisory Authority | Sanction | Publication of sensitive data
The Norwegian Supervisory Authority issued a fine of NOK 400,000 (approx. € 39,000) against a municipality for publishing during 5 hours a document with sensitive data, including health data, which was wrongfully approved for publication.
For further information: Datatilsynet website (in Norwegian)
05/18/2021 – Norwegian Supervisory Authority | Sanction | Credit scoring
The Norwegian Supervisory Authority issued a fine of NOK 1 million (approx. € 98,700) against a credit scoring company for processing individuals’ personal data without legal basis.
For further information: Datatilsynet website (in Norwegian) | Datatilsynet decision (in Norwegian)
05/05/2021 – Norwegian Supervisory Authority | Sanction | Data breach
The Norwegian Supervisory Authority issued a decision imposing a fine of NOK 1,250,000 (approx. € 120,000) following a data breach affecting 3,2 million individuals, including 500,000 children, whose personal data were publicly disclosed for 87 days.
For further information: Datatilsynet website (in Norwegian) | Datatilsynet decision (in Norwegian)
05/04/2021 – Norwegian Supervisory Authority | Draft decision | Data transfer
The Norwegian Supervisory Authority notified a toll company of its intention to impose a fine of NOK 5 million (approx. € 500,000) for transferring drivers’ personal data to China in an unlawful manner.
For further information: Datatilsynet website (in Norwegian) | Datatilsynet draft decision (in Norwegian)
05/02/2021 – Norwegian Supervisory Authority | Draft decision | Unlawful processing
The Norwegian Supervisory Authority notified a US comment sharing platform of its intention to impose a fine of NOK 25 million (approx. € 2,5 million) for not complying with the GDPR rules on accountability, lawfulness and transparency.
For further information: Datatilsynet website (in Norwegian) | Datatilsynet draft decision (in Norwegian) | EDPB Press Release
05/25/2021 – Spanish Supervisory Authority | Sanction | Direct marketing
The Spanish Supervisory Authority issued a fine of € 100,000 against a telecommunications operator, acting as a processor, for not cross-checking the Do-not-Call register before making marketing calls.
For further information: AEPD decision (in Spanish)
05/25/2021 – Spanish Supervisory Authority | Sanction | Legal basis
The Spanish Supervisory Authority issued a fine of € 45,000 against a telecommunications operator for processing personal data without a legal basis.
For further information: AEPD decision (in Spanish)
05/25/2021 – Spanish Supervisory Authority | Sanction | Direct marketing
The Spanish Supervisory Authority issued a fine of € 50,000 against a telecommunications operator for calling an individual for marketing purposes despite the exercise of his right to object.
For further information: AEPD decision (in Spanish)
05/24/2021 – Spanish Supervisory Authority | Guidance | Data breach notifications
The Spanish Supervisory Authority (AEPD) issued a new version of its guidance relating to data breach notifications.
For further information: AEPD website (in Spanish) | AEPD guidance (in Spanish)
05/18/2021 – Spanish Supervisory Authority | Guide | Employment
The Spanish Supervisory Authority published a guide regarding data protection in the context of employment, elaborated with the Ministry of Labor and trade union organizations.
For further information: AEPD website (in Spanish); AEPD guide (in Spanish)
05/04/2021 – Spanish Supervisory Authority | Sanction | Security measures and transparency
The Spanish Supervisory Authority issued sanctions against two subsidiaries of an electricity provider group where it imposed fines of € 1,5 million each for failing to implement technical and organizational measures and not providing mandatory information to data subjects.
For further information: AEPD 1st decision (in Spanish) | AEPD 2nd decision (in Spanish)
05/26/2021 – Swedish Supervisory Authority | Guidance | Video surveillance
The Swedish Supervisory Authority published guidance relating to the use of video surveillance systems.
For further information: IMY website (in Swedish) | IMY guidance (in Swedish)
05/17/2021 – UK Supervisory Authority | Sanction | Direct marketing
The UK Supervisory Authority (ICO) issued a decision where it fined a multinational financial services company £ 90,000 (approx. € 104,000) for sending more than four million marketing emails to customers despite the fact that they opted out.
For further information: ICO website | ICO decision
05/13/2021 – UK Supervisory Authority | Guidance | Algorithms
The UK government published a guidance relating to Ethics, Transparency and Accountability Framework for Automated Decision-Making.
For further information: UK government website
This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.