Gibson Dunn | Europe | Data Protection – September 2021

October 20, 2021

Click for PDF

Personal Data Watch


09/27/2021 – European Commission | Deadline | New Standard Contractual Clauses

As of 27 September 2021, the European Commission requires controllers and processors to rely on the updated Standard Contractual Clauses for any new contracts governing personal data transfers from the European Economic Area.

As a reminder, contracts concluded before this date can continue to rely on the former Standard Contractual Clauses until 27 December 2022 provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.

For further information: Commission Website

09/27/2021 – European Data Protection Board | Taskforce | Cookie banner

The European Data Protection Board set up a taskforce to coordinate the response to complaints concerning cookie banners filed with several Supervisory Authorities by the non-governmental organisation None Of Your Business.

The taskforce aims to promote cooperation, information sharing and best practices between the Supervisory Authorities. In particular, the taskforce will exchange views on legal analysis and possible infringements, provide support to activities on the national level and streamline communication.

For further information: EDPB Website

09/24/2021 – European Data Protection Board | Opinion | Draft South Korea Adequacy Decision

The European Data Protection Board adopted its opinion on the European Commission’s draft adequacy decision for the Republic of Korea.

The Opinion focuses on general data protection aspects and on access by public authorities to personal data transferred from the European Economic Area to the Republic of Korea for the purposes of law enforcement and national security, including the legal remedies available to individuals in the EEA. The Opinion also assesses whether the safeguards provided under the Korean legal framework are effective.

In this respect the Board’s Chair stated: “While we underline that core aspects of the Korean data protection framework are essentially equivalent to those of the European Union, we call on the Commission to further clarify certain aspects and to closely monitor the situation.”

For further information: EDPB Website

09/13/2021 – European Union Agency for Cybersecurity | Methodology | Sectoral Cybersecurity Assessment

The European Union Agency for Cybersecurity published a Methodology for a Sectoral Cybersecurity Assessment.

The Methodology aims to enable the preparation of European cybersecurity certification schemes for sectoral information and communications technology infrastructures and ecosystems. Examples of targeted market sectors include mobile networks, 5G, electronic identity, eHealth, payments, Mobility as a Service and automotive.

For further information: ENISA Website


09/29/2021 – Finnish Supervisory Authority | Annual Report

The Finnish Supervisory Authority published its 2020 annual report.

The report outlines the increase in the number of security breach notifications.

For further information: Ombudsman Website

09/13/2021 – Finnish Cookies Authority | Guidelines | Cookies

The Finnish Transport and Communications Agency, which is the newly designated Authority in charge of the questions relating to cookies in Finland, published updated guidelines on cookies.

The revised guidelines result from the decisions of the Finnish Administrative Court that clarified the interpretation of the consent requirement for cookies. They include a guide for users of online services and a guide for providers of such services.

The Agency is also investigating about a hundred complaints concerning cookies.

For further information: TRAFICOM Website


09/29/2021 – French Supervisory Authority | Q&A | Health pass

The French Supervisory Authority published two sets of Q&As relating to the collection of personal data in the workplace and to the verification of the health pass or vaccination status.

The Q&As address, inter alia, the obligations of the employers and employees in the context of the fight against the pandemic as well as the data protection requirements when verifying health passes.

For further information: CNIL Website | CNIL Website

09/24/2021 – French Supervisory Authority | Recommendations | Clinical Trials

The French Supervisory Authority issued temporary recommendations on clinical trials remote monitoring during the Covid-19 crisis.

Due to constraints relating to the pandemic, clinical trials monitoring must be conducted remotely. In this regard, the CNIL provides its recommendations, which are effective until 15 November 2021.

For further information: CNIL Website

09/20/2021 – French Supervisory Authority | Consultation | Recruitment

The French Supervisory Authority launched a public consultation on its draft guide on the processing personal data in the recruitment sector.  

The draft guide will replace the 2002 Recommendation on the same topic and notably addresses innovative issues resulting from the use of new technologies by recruiters.

The public consultation is open until 19 November 2021.

For further information: CNIL Website

09/14/2021 – French Supervisory Authority | Statement | Cookies | Enforcement Actions

The French Supervisory Authority issued a statement on its past and future enforcement actions to ensure compliance with the rules on cookies.

As a reminder, at the end of June, the Authority issued formal notices to companies that do not allow to refuse cookies as easily as to accept them. The statement outlines that 80% of the companies concerned are now compliant.
The Authority also anounces that it will continue its controls and pronounce the necessary corrective measures.

For further information: CNIL Website

09/09/2021 – French Supervisory Authority | Tool | Self-Assessment | Data Protection Management

The French Supervisory Authority issued a self-assessment model to enable organisations to measure their level of maturity as regards their management of data protection and to determine how to improve it.

The draft model describes eight typical activities relating to data protection in five maturity levels, illustrated with examples of actions or outputs.

For further information: CNIL Website


09/24/2021 – Hamburg Supervisory Authority | Sanction | Transparency

The Hamburg Supervisory Authority fined an energy company approximately €900,000 for failing to ensure transparency as regards data comparison activities carried out by the company.

The Authority clarifies that the fine concerns transparency but is without prejudice to the question of the lawfulness of the processing activity itself. Even though the company fully cooperated with the Authority and the fine was therefore significantly reduced, it is still substantial. According to the Authority, it should be seen as a warning to all companies not to neglect their transparency obligations under the GDPR.

For further information: HmbBfDI Website

09/17/2021 – Berlin Supervisory Authority | Statement | Digital Tools in Schools

The Berlin Supervisory Authority released a statement regarding a new law passed by the Berlin legislator, which regulates the processing of personal data of pupils and teachers in Berlin.

According to the Authority, the new law includes, inter alia, an express legal basis for the processing of personal data in relation with the use of digital tools such as video conferencing tools.

For further information: BlnBDI Website

09/14/2021 – Hessian Supervisory Authority | Guidelines | Faxes

The Hessian Supervisory Authority released guidelines on the use of faxes for the transmission of personal data, stating that this may not be compliant with the GDPR.

The Authority thus removed its own fax number from its website.

For further information: HBDI Website


09/15/2021 – Irish Supervisory Authority | Statement | Revised Breach Notification Web-Forms

The Irish Supervisory Authority announced the publication of its new breach notification web-forms in the coming weeks.

As a reminder, the breach web-forms are used by data controllers to notify personal data breaches. The purpose of this revision is notably to improve ease-of-use for data controllers and to reduce common errors or misunderstandings when breach web-forms are submitted.

For further information: DPC Website


09/16/2021 – Italian Supervisory Authority | Sanction | Data transfers

The Italian Supervisory Authority fined a university €200,000 for various violations of the GDPR, including in relation to data transfers to third countries.

The decision identifies violations regarding the transfer of personal data to a processor established in the US. In particular, it outlines that the documentation provided by the university contained no evidence that a risk assessment has been carried out in light of the Schrems II ruling dated 16 July 2020. The same considerations apply to the transfer of personal data to the sub-processor which was also based in the US.

In the calculation of the fine, the Italian Supervisory Authority took into account that the consequences of the Schrems II Case may, in some cases, be complex to implement, and, more generally, that the legal framework on international transfers is evolving.

For further information: Garante Website

09/10/2021 – Italian Supervisory Authority | Sanction | Publication of Students Data

The Italian Supervisory Authority announced that it has fined the Lombardy Region €200,000 in July, for the unlawful publication of a list of social aids’ beneficiaries.

The Authority outlines that the Lombardy Region disclosed the personal data of more than 100,000 students who requested scholarships or other public benefits, consequently revealing their financial difficulties.

For further information: Garante Website

09/10/2021 – Italian Supervisory Authority | Sanction | Unlawful Processing And Transparency

The Italian Supervisory Authority announced that it has fined the Municipality of Rome and its processors a total of €1 million in July, for failing to take into account data protection rules when implementing a technological update to the city’s parking meters.

In particular, the Authority points out the lack of information given to data subjects, as well as the absence  of data processing agreements between Rome and the contractors.

For further information: Garante Website


09/27/2021 – Norwegian Supervisory Authority | Sanction | Illegal Transfer

The Norwegian Supervisory Authority fined a Norwegian toll company NOK 1,000,000 (approx. €100,000) for having illegally transferred motorists’ personal data to China.

The sanction outlines that the company failed to implement a data processing agreement as well as a transfer risk assessment and lacked a legal basis for the such transfers.

For further information: Datatilsynet Website


09/14/2021 – Spanish Supervisory Authority | Sanctions

The Spanish Supervisory Authority published four fines that it has imposed on a telecommunication operator, totaling €264,000 for a number of GDPR violations.

The conduct sanctioned by the Authority includes the failure to verify customer identity, the processing of personal data without a valid legal basis and the unauthorized access to personal data by third parties.

For further information: AEPD Website | AEPD Website | AEDP Website | AEPD Website

United Kingdom

09/15/2021 – UK Supervisory Authority | Sanction | Nuisance messages

The UK Supervisory Authority announced that four companies have been fined a total of £495,000 (approx. €580,000) for having sent more than 354 million nuisance messages.

The Authority outlines that none of the companies had permission from these individuals to send such communication insofar as they had not provided their consent.

For further information: ICO Website

09/10/2021 – Department for Digital, Culture, Media & Sport | Consultation | Data Protection Regime

The Department for Digital, Culture, Media & Sport launched a public consultation on its proposed reforms to the UK’s data protection regime.

The 146 page proposal is part of the UK government’s National Data Strategy published in 2020, that suggested that the UK may start to move away from EU law.

The envisaged reform aims to secure a data regime that promotes growth and innovation for UK businesses, while also maintaining public trust. Key objectives include reducing barriers and burdens on businesses, including concerning data flows, as well as reforming the UK Supervisory Authority.

The consultation will close on 19 November 2021.

For further information: DCMS Website

09/05/2021 – UK Supervisory Authority | Sanction | Nuisance Calls

The UK Supervisory Authority announced that it has fined a company £150,000 (approx. €170,000) for making unsolicited direct marketing calls to subscribers who were registered with a  ‘Do Not Call’ register.

The Authority also underlines that using false trading names and disguising the telephone numbers when placing the calls is also illegal.

For further information: ICO Website

This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:

© 2021 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.