Gibson Dunn | Europe | Data Protection – November 2021

November 16, 2021

Click for PDF

Personal Data Watch


10/18/2021 – European Data Protection Board | Coordinated Action | Use of Cloud Based Services by the Public Sector

The European Data Protection Board decided to launch the proposal for its first coordinated action on the use of Cloud based services by the public sector.

As a reminder, in a coordinated action, the Board prioritizes a certain topic for supervisory authorities to work on at the national level. The results of these national actions are then bundled and analyzed, generating deeper insight into the topic and allowing for targeted follow-up at both the national and the European Union level.

For further information: EDPB Website

10/14/2021 – European Data Protection Board | Minutes of Plenary Meeting | Data Transfers

The European Data Protection Board, in the minutes of its 54th plenary meeting, shared information about the state of play and the progress of the discussions on the draft guidelines on the interplay between Article 3 and Chapter V of the GDPR.

In particular, the minutes underline the importance to quickly finalize those guidelines and disclose that a specific set of standard contractual clauses regarding transfers to importers subject to Article 3(2) of the GDPR will be developed after the draft guidelines are adopted.

For further information: EDPB Website

10/13/2021 – European Data Protection Board | Guidelines | Restrictions of Data Subject Rights

The European Data Protection Board issued the final version of its Guidelines 10/2020 on restrictions under Article 23 of the GDPR following public consultation.

As a reminder, Article 23 of the GDPR provides that, under Union or Member State law, the application of certain provisions of the Regulation, relating to the rights of the data subjects and controllers’ obligations, may be restricted in some situations.

The Guidelines aim to recall the conditions surrounding the use of such restrictions by Member States or the EU legislator in light of the Charter of Fundamental Rights and the GDPR.

For further information: EDPB Website


10/27/2021 – Danish Supervisory Authority | Guidance | Testing IT Systems

The Danish Supervisory Authority published a guide on the use of personal data for the purpose of developing and testing IT systems.

The guide provides information on: (i) the rights and duties in that respect, (ii) the legal basis for the processing, (iii) the data minimisation principle, (iv) data retention and storage limitation and (v) the technical and organizational security measures.

For further information: Datatilsynet Website

10/26/2021 – Danish Supervisory Authority | Statement | Statistical Cookies

The Danish Supervisory Authority issued a statement to clarify that the GDPR requirements apply to the collection and processing of personal data about website visitors via statistical cookies.

As a reminder, the Danish Business Authority, which is the authority in charge of the questions relating to cookies in Denmark, initiated an inspection campaign to control compliance with the rules on cookies. The Business Authority also announced that it will not prioritize the inspection of websites using statistical cookies, in light of such cookies’ usefulness to optimize websites and the fact that the current negotiations on the e-Privacy Regulation propose to exempt them from consent.

Following this announcement, the Danish Supervisory Authority clarified that it will nevertheless monitor that the processing of personal data collected via statistical cookies complies with the GDPR.

For further information: Datatilsynet Website | Erhvervsstyrelsen Website | Erhvervsstyrelsen Website

10/06/2021 – Danish Supervisory Authority | Guidance | Data Processing Agreement

The Danish Supervisory Authority provided guidance to help organizations choose between its own template of Data Processing Agreement and that published by the European Commission.

The Authority advises to use the Danish template if both the controller and the processor are established and operate exclusively in Denmark and the ones of the Commission when at least one of the parties is located and/or operates in another European or third country.

As a reminder, using those templates is not mandatory but has certain advantages. For example, Supervisory Authorities do not examine their provisions in detail when carrying out inspections.

For further information: Datatilsynet Website


10/21/2021 – French Supervisory Authority | Draft Recommendation | Passwords

The French Supervisory Authority published a draft Recommendation on passwords, and opened a public consultation on the same.

The draft aims to update the 2017 Recommendation on passwords to take into account the evolution of knowledge and to allow organizations to ensure a minimum level of security. New developments include the definition of a password policy based on the degree of unpredictability of a password and not on its minimum length, as well as best practices for creating and renewing passwords to ensure security throughout the lifecycle.

The public consultation is open until 3 December 2021, with a view to the publication of the final Recommendation early 2022.

For further information: CNIL Website

10/13/2021 – French Supervisory Authority | Guidance | Alternatives to Third-Party Cookie

The French Supervisory Authority published a post reminding that alternatives to third-party cookies developed for targeted advertising must also comply with data protection rules, in particular with consent requirements.

The Authority classifies alternatives to third-party cookies in four categories, namely first-party cookies and browser fingerprinting, Single Sign-On, unique identifiers and cohort-based targeted advertising.

For further information: CNIL Website

10/06/2021 – French Supervisory Authority | White Paper | Payment Methods

The French Supervisory Authority issued a White Paper on data and payment methods.  
The White Paper aims to develop eight key messages relating to payment methods, including the preservation of the anonymity of payments, the use of cash, and the free choice of means of payment; the main GDPR compliance issues; the importance of the security of payment data; or recommendations on European projects in that area.

A public consultation on the White Paper is open until 15 December 2021.

For further information: CNIL Website


10/27/2021 – Baden-Württemberg Supervisory Authority | Guidance | Video Conference Systems

The Baden-Württemberg Supervisory Authority published new guidance on video conference systems, intended to assist companies, public authorities and associations in selecting suitable video conferencing services.

In particular, the Guide examines some of the most widely used services from a data protection and technical perspective.

For further information: LfDI BW Website

10/19/2021 – German Data Protection Conference | Guidance | Employee Vaccination Status

The German Data Protection Conference issued guidance on whether an employer is entitled to ask employees about their vaccination status.

The Authority emphasizes that an employer may not request its employees’ vaccination status with regard to Covid-19, except in one of the few cases expressly provided for by law, for example in the field of medical care.

However, an employer is authorized to collect or note the vaccination status of employees who provide it voluntarily in order to be exempt from a statutory obligation to get tested.

For further information:DSK Website

10/04/2021 – Higher Regional Court of Munich | Judgement | Data Subject Rights

The Higher Regional Court of Munich issued a judgement stating that the right of access and the right to obtain a copy of the personal data are independent claims, as both lead to different legal consequences.

As a reminder, the scope and exact requirements of the access right have been subject to various decisions of German courts recently, such as a decision of the Higher Labor Court of Saxony, which raised the burden of proof for the data subject exercising the right of access.

For further information: Court Website

10/01/2021 – Bavarian Supervisory Authority | Guidance | Cookies on Public Authorities’ Websites

The Bavarian Supervisory Authority issued guidance regarding consent to cookies used on Bavarian public authorities’ websites.

The Authority explains the applicable legal framework with regard to data privacy and gives practical advice to website visitors.

For further information: BayLfD Website

10/01/2021 – Baden-Württemberg Supervisory Authority | Guidance | International Data Transfers

The Baden-Württemberg Supervisory Authority released an update of its guidance on international data transfers.

The most important updates in the guidance are related to the publication of the new Standard Contractual Clauses by the European Commission.

The Authority also updated its FAQ on the concepts and responsibilities of controller and processor in light of the new European Data Protection Board’s Guidelines on the topic.

For further information: LfDI Website

10/01/2021 – Administrative Court of Wiesbaden | Reference for a Preliminary Ruling | Automated Individual Decision-Making | Credit Agencies

The Administrative Court of Wiesbaden referred a question to the Court of Justice of the European Union, asking whether the creation of score values by credit agencies and their subsequent transmission to a company requesting information regarding these score values falls within the scope of Art. 22 (1) of the GDPR on automated individual decision-making.

For further information: Court Website


10/12/2021 – Irish Supervisory Authority | Statement | 2022 Budget

The Irish Supervisory Authority issued a statement welcoming the increased funding of €4.1 million for the office in Budget 2022.

The Authority discloses that its workload has continued to grow year-on-year and that, in 2020, 10,151 individual cases were handled and over 60% of complaints lodged were concluded within the same calendar year.

For further information: DPC Website


10/25/2021 – Italian Supervisory Authority | Guidance | Passwords

The Italian Supervisory Authority published guidance on setting and managing secure passwords.

For further information: Garante Website

10/19/2021 – Italian Supervisory Authority | Sanction | Unsolicited Direct Marketing Calls

The Italian Supervisory Authority announced that it has fined a television network more than €3.2 million for making unsolicited direct marketing calls without information or consent, using lists acquired from other companies.

The decision also prohibits any further processing for marketing purposes using these lists.

For further information: Garante Website


10/26/2021 – Luxembourg Supervisory Authority | Guidelines | Cookies

The Luxembourg Supervisory Authority issued updated guidelines on the use of cookies and other trackers.

The guidelines aim to help operators of websites and applications to comply with the applicable rules, notably by providing examples of good practices.

For further information: CNPD Website

10/19/2021 – Luxembourg Supervisory Authority | 2020 Annual Report

The Luxembourg Supervisory Authority issued its 2020 Annual Report.

In particular, the Report outlines that reported data breaches increased from 354 in 2019 to 379 in 2020, with human error remaining the main cause.

For further information: CNPD Website


10/19/2021 – Norwegian Supervisory Authority | Sanction | Ransom Attack

The Norwegian Supervisory Authority fined a municipality NOK 4 million (approx. €400,000) in the context of a ransomware attack, for not having sufficient security measures in place.

For further information: Datatilsynet Website


10/21/2021 – Spanish Supervisory Authority | Sanction | Profiling

The Spanish Supervisory Authority published a decision to fine a bank €3 million for several breaches, including the unlawful profiling of its clients for commercial purposes.

For further information: AEPD Decision

United Kingdom

10/27/2021 – UK Supervisory Authority | Statement | Video Teleconferencing Companies

The UK Supervisory Authority issued a statement on the dialogue between video teleconferencing companies (“VTC”) and data protection authorities, as regards global privacy expectations.

As a reminder, in July 2020, six data protection and privacy authorities signed an open letter to VTC companies, which highlighted concerns about whether privacy safeguards were keeping pace with the rapid increase in use of VTC services during the global pandemic, and provided VTC companies with some guiding principles to address key privacy risks.

For further information: ICO Website

10/22/2021 – UK Supervisory Authority | Sanction | Bulk Email Practices

The UK Supervisory Authority fined a charity £10,000 (approx. €12,000) for revealing personal data in email error.

The decision outlines that the email addresses were visible to all recipients, and 65 of the addresses identified people by name. Shortcomings in the charity’s email procedures include inadequate staff training, incorrect methods of sending bulk emails by blind carbon copy (bcc) and an inadequate data protection policy.

For further information: ICO Website

10/13/2021 – UK Supervisory Authority | Code of Practice | Journalism

The UK Supervisory Authority released a draft journalism code of practice, and opened a public consultation on the same.

The draft code provides practical guidance to help individuals understand data protection law and comply effectively with its requirements and is designed to be most helpful to media organizations and staff with data protection responsibilities, including lawyers, data protection officers and senior editorial staff.
The public consultation is open until 10 January 2022.

For further information: ICO Website

10/07/2021 – UK Supervisory Authority | Response | Reform to UK Data Protection Regime

The UK Supervisory Authority (ICO) issued a response to the consultation on the proposed reforms to the UK’s data protection regime.

As a reminder, on 10 September 2021, the Department for Digital, Culture, Media & Sport launched a public consultation on its envisaged reform to UK data protection law.

The Authority supports the proposals to make innovation easier for organizations and to reform the ICO’s constitution, but expresses strong concerns as regards its regulatory independence.

For further information: ICO Website

This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:

© 2021 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.