Gibson Dunn | Europe | Data Protection – June 2020

June 4, 2020

Click for PDF

Personal Data Watch

European Union

05/20/2020 – EDPB | Register | Cooperation procedure

The European Data Protection Board (EDPB) announced that it will publish on its website a register containing the decisions taken by national supervisory authorities following the “one-stop-shop” cooperation procedure of Article 60 of the GDPR.

For further information: EDPB Website

05/20/2020 – EDPB | Opinion | Draft Standard Contractual Clauses

The European Data Protection Board (EDPB) adopted an opinion on the draft standard contractual clauses (controller-processor) submitted by the Slovenian supervisory authority.

In this opinion, the EDPB makes a number of recommendations, which must be taken into account in order to consider these draft clauses as standard contractual clauses. If all recommendations are implemented, the Slovenian supervisory authority may adopt this draft agreement as standard contractual clauses in accordance with Article 28(8) of the GDPR.

For more information: EDPB Website

05/18/2020 – EDPB | Annual Report 2019

The European Data Protection Board (EDPB) published on its website its 2019 annual report.

In its report, the EDPB lists in particular the documents adopted in the course of 2019 and the various actions taken by national supervisory authorities, including the sanctions imposed in 2019.

Furthermore, the EDPB presents its main objectives for 2020 which include the adoption of guidelines on different topics, such as the role of controller and processor, the rights of data subjects and the concept of legitimate interests.

For further information: EDPB Website

05/13/2020 – European Commission | Guidelines | Tracing applications | Interoperability

The European Commission published interoperability guidelines for approved contact tracing mobile applications in the European Union.

The objective of these guidelines is to enable interoperability between the various contact tracing applications developed within the European Union in order to enable citizens to use the applications wherever they are in the Union.

For further information: Press release European Commission | Guidelines

05/04/2020 – EDPB | Guidelines (05/2020) | Consent

The European Data Protection Board (EDPB) adopted guidelines (05/2020) on consent.

These new guidelines update the guidelines on consent under the GDPR adopted on April 10, 2018 (WP259) by providing clarifications on the practice of “cookie wall” and on the fact that browsing a website does not meet the requirements of a valid consent (please refer to the example n°16 of the guidelines).

For further information: Guidelines 05/2020


05/25/2020 – Belgian Supervisory Authority | Annual Report

The Belgian Supervisory Authority published on its website its annual activity report.

The Belgian authority notably highlights that it has carried out more than 100 controls and imposed 59 sanctions from May 2019 to May 2020. The authority also reports that it has received during this period almost 1,000 data breach notifications, around 350 complaints and more than 4,000 information requests.

For further information: Belgian Supervisory Authority Website

05/14/2020 – Belgian Supervisory Authority | Sanction | Legal basis

The Belgian Supervisory Authority imposed a fine of €50,000 on a social network for processing personal data without a valid legal basis.

In its decision, the authority examined the tool offered by a social network allowing its users to invite contacts and sanctioned the fact that the social network processed personal data of non-members of the network, storing their data and sending them invitations, without a valid legal basis.

The Belgian Supervisory Authority acted as the lead supervisory authority on this case and cooperated with other European supervisory authorities to impose this sanction.

For further information: Belgian Supervisory Authority Website | IAPP Website


05/15/2020 – Danish Supervisory Authority | Sanction | Access request

The Danish Supervisory Authority imposed a fine of DKK 50,000 (around €6,700) on JobTeam, a Danish recruitment company.

The authority accuses the company of having deleted personal data subject to an access request made by a data subject, during the period following the request and before providing an answer. The Danish Supervisory Authority became aware of the case on the basis of a complaint.

For further information: EDPB Website | IAPP Website


05/18/2020 – Finnish Supervisory Authority | Sanctions | Various data protection violations

The Finnish Supervisory Authority imposed administrative fines on three companies for data protection violations.

The concerned companies have been respectively sanctioned to €100,000 for deficiency in information provided to individuals on data protection rights (in the context of marketing communications), €16,000 for neglecting to conduct a data protection impact assessment (in the context of employees’ location data processing), and €12,500 for unnecessary collection of personal data with an obligation to delete the unnecessary data (in the context of job applicants and employees data processing).

For further information: EDPB Website | Finnish DPA Website


05/19/2020 – French Supervisory Authority | Recommendation | Anonymization

The French Supervisory Authority (CNIL) published on its website recommendations regarding the anonymization of personal data.

In its publication, the CNIL refers to the anonymization techniques and the issues at stake. After reminding the definition of anonymization, the CNIL specifies the means to anonymize data, verify the effectiveness of the anonymization and address the related risks.

For further information: CNIL Website

05/18/2020 – French Supervisory Authority | Statement | Drone surveillance | Sanitary measures

In a statement, the French Supervisory Authority (CNIL) indicated that investigations are currently being conducted by the authority. These investigations target the police services and cover both the current situation and the period of lock down.

By a summary order dated May 18, 2020, the French Council of State (“Conseil d’Etat”) enjoined the State to cease, without delay, to implement surveillance measures in Paris using drones in order to monitor compliance with health security rules applicable during the deconfinement period. The Council of State ruled that these drones were being used outside the framework provided for by the French Data Protection Act and were a serious and manifestly unlawful infringement of the right to privacy. The CNIL has also questioned these practices and has carried out investigations with the French Ministry of the Interior concerning the use of drones in several cities.

For further information: CNIL Website

05/07/2020 – French Supervisory Authority | Employers | Covid-19

The French Supervisory Authority (CNIL) updated its publication on its website related to the collection of personal data by employers in order to adapt them to the measures implemented during deconfinement.

The CNIL notably provides details on certain employer practices: temperature readings at the entrance, implementation of serological tests and health status questionnaires, as well as business continuity plans.

For further information: CNIL Website


05/22/2020 – Irish Supervisory Authority | Twitter | Draft decision

The Irish Supervisory Authority (DPC) indicated it has submitted a draft decision on the investigation against Twitter International Company to the other concerned supervisory authorities.

The draft decision relates to Twitter International Company’s compliance with Articles 33(1) and 33(5) of the GDPR related to personal data breach notification obligations. The draft decision has been submitted to the other concerned supervisory authorities in the context of the cooperation procedure provided by Article 60 of the GDPR. In its press release, the DPC also presents the status of other ongoing investigations.

For further information: DPC Website

05/01/2020 – Irish Supervisory Authority | Data Breach

The Irish Supervisory Authority (DPC) published advice on its website on how to avoid data breaches.

For further information: DPC Website


05/07/2020 – Italian Supervisory Authority | FAQs | COVID-19

The Italian Supervisory Authority published on its website a FAQ on the processing of personal data in the context of the Covid-19 pandemic.

The FAQs notably cover the data processing carried out by employers, schools and in the field of health care, clinical trials and medical research.

For further information: Italian Supervisory Authority Website |IAPP Website


05/07/2020 – Dutch Supervisory Authority | Investigation | Minors | TikTok

The Dutch Supervisory Authority is investigating whether the TikTok application complies with privacy regulations, in particular on the processing of personal data of minors.

The investigation notably aims to determine whether the information provided to minors when downloading and using the application is easy to understand and sufficiently explains how personal data are processed. The authority is also analyzing TikTok’s compliance with parental consent requirements.

For further information: Dutch Supervisory Authority Website | IAPP Website


05/12/2020 – Swedish Supervisory Authority | Sanction | Sensitive data

The Swedish Data Protection Authority has imposed a fine of SEK 120,000 (around €11,000) on the Healthcare Committee in Region Örebro County following the publication on the region’s website of sensitive data about a patient.

The authority’s investigation revealed in particular that the Healthcare Committee had not taken sufficient organizational measures to ensure that personal data were protected from being wrongfully published on the region’s website.

For further information: EDPB Website

United Kingdom

05/20/2020 – UK Supervisory Authority | Guidance | Artificial Intelligence

The UK Supervisory Authority (ICO) published a guidance, developed with the Alan Turing Institute, presenting practical advice for organizations to help explain to individuals the processes, services and decisions provided or assisted by artificial intelligence.

For further information: ICO Website

05/07/2020 – UK Supervisory Authority | Statement | Adtech

In a statement, the UK Supervisory Authority (ICO) indicated that it had decided to suspend its investigations into real-time bidding and the Adtech industry.

For further information: ICO Website

05/05/2020 – UK Supervisory Authority | Priorities

The UK Supervisory Authority (ICO) published on its website the priorities for the upcoming months.

In the upcoming months, the authority’s activity will focus notably on the protection of vulnerable citizens, the development of good practices in the field of artificial intelligence, as well as on transparency.

For further information: ICO Website | ICO Publication

05/04/2020 – UK Supervisory Authority | Guidelines | Contact tracing applications

The UK Supervisory Authority (ICO) published a notice in which it sets out how contact tracing applications can be developed in accordance with the principles of privacy by design and privacy by default.

For further information: ICO Statement | ICO Publication


05/20/2020 – Cyberattack | EasyJet

The Nextinpact website reports that EasyJet company suffered a cyber attack that led to the data leakage of 9 million customers.

For further information: Nextinpact Website

05/14/2020 – Court of Justice of the European Union | Schrems II Case

The IAPP website reports that the Court of Justice of the European Union has announced on Twitter that the judgment in case C-311/18 – Facebook Ireland and Schrems, known as ‘Schrems II’, will be issued next 16 July.

For further information: IAPP Website

05/13/2020 – Austrian Supervisory Authority | Complaint | NOYB Association | Google

The IAPP website reports that the NOYB association has lodged a complaint against Google before the Austrian Supervisory Authority concerning the Android advertising identifier installed by Google on mobile devices without the users’ consent.

For further information: IAPP Website

This newsletter has been prepared by the Technology & Innovation team of the Paris office. For further information, you may contact us by email:

© 2020 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.