June 4, 2020
05/20/2020 – EDPB | Register | Cooperation procedure
The European Data Protection Board (EDPB) announced that it will publish on its website a register containing the decisions taken by national supervisory authorities following the “one-stop-shop” cooperation procedure of Article 60 of the GDPR.
For further information: EDPB Website
05/20/2020 – EDPB | Opinion | Draft Standard Contractual Clauses
The European Data Protection Board (EDPB) adopted an opinion on the draft standard contractual clauses (controller-processor) submitted by the Slovenian supervisory authority.
In this opinion, the EDPB makes a number of recommendations, which must be taken into account in order to consider these draft clauses as standard contractual clauses. If all recommendations are implemented, the Slovenian supervisory authority may adopt this draft agreement as standard contractual clauses in accordance with Article 28(8) of the GDPR.
For more information: EDPB Website
05/18/2020 – EDPB | Annual Report 2019
The European Data Protection Board (EDPB) published on its website its 2019 annual report.
In its report, the EDPB lists in particular the documents adopted in the course of 2019 and the various actions taken by national supervisory authorities, including the sanctions imposed in 2019.
Furthermore, the EDPB presents its main objectives for 2020 which include the adoption of guidelines on different topics, such as the role of controller and processor, the rights of data subjects and the concept of legitimate interests.
For further information: EDPB Website
05/13/2020 – European Commission | Guidelines | Tracing applications | Interoperability
The European Commission published interoperability guidelines for approved contact tracing mobile applications in the European Union.
The objective of these guidelines is to enable interoperability between the various contact tracing applications developed within the European Union in order to enable citizens to use the applications wherever they are in the Union.
For further information: Press release European Commission | Guidelines
05/04/2020 – EDPB | Guidelines (05/2020) | Consent
The European Data Protection Board (EDPB) adopted guidelines (05/2020) on consent.
These new guidelines update the guidelines on consent under the GDPR adopted on April 10, 2018 (WP259) by providing clarifications on the practice of “cookie wall” and on the fact that browsing a website does not meet the requirements of a valid consent (please refer to the example n°16 of the guidelines).
For further information: Guidelines 05/2020
05/25/2020 – Belgian Supervisory Authority | Annual Report
The Belgian Supervisory Authority published on its website its annual activity report.
The Belgian authority notably highlights that it has carried out more than 100 controls and imposed 59 sanctions from May 2019 to May 2020. The authority also reports that it has received during this period almost 1,000 data breach notifications, around 350 complaints and more than 4,000 information requests.
For further information: Belgian Supervisory Authority Website
05/14/2020 – Belgian Supervisory Authority | Sanction | Legal basis
The Belgian Supervisory Authority imposed a fine of €50,000 on a social network for processing personal data without a valid legal basis.
In its decision, the authority examined the tool offered by a social network allowing its users to invite contacts and sanctioned the fact that the social network processed personal data of non-members of the network, storing their data and sending them invitations, without a valid legal basis.
The Belgian Supervisory Authority acted as the lead supervisory authority on this case and cooperated with other European supervisory authorities to impose this sanction.
For further information: Belgian Supervisory Authority Website | IAPP Website
05/15/2020 – Danish Supervisory Authority | Sanction | Access request
The Danish Supervisory Authority imposed a fine of DKK 50,000 (around €6,700) on JobTeam, a Danish recruitment company.
The authority accuses the company of having deleted personal data subject to an access request made by a data subject, during the period following the request and before providing an answer. The Danish Supervisory Authority became aware of the case on the basis of a complaint.
For further information: EDPB Website | IAPP Website
05/18/2020 – Finnish Supervisory Authority | Sanctions | Various data protection violations
The Finnish Supervisory Authority imposed administrative fines on three companies for data protection violations.
The concerned companies have been respectively sanctioned to €100,000 for deficiency in information provided to individuals on data protection rights (in the context of marketing communications), €16,000 for neglecting to conduct a data protection impact assessment (in the context of employees’ location data processing), and €12,500 for unnecessary collection of personal data with an obligation to delete the unnecessary data (in the context of job applicants and employees data processing).
For further information: EDPB Website | Finnish DPA Website
05/19/2020 – French Supervisory Authority | Recommendation | Anonymization
The French Supervisory Authority (CNIL) published on its website recommendations regarding the anonymization of personal data.
In its publication, the CNIL refers to the anonymization techniques and the issues at stake. After reminding the definition of anonymization, the CNIL specifies the means to anonymize data, verify the effectiveness of the anonymization and address the related risks.
For further information: CNIL Website
05/18/2020 – French Supervisory Authority | Statement | Drone surveillance | Sanitary measures
In a statement, the French Supervisory Authority (CNIL) indicated that investigations are currently being conducted by the authority. These investigations target the police services and cover both the current situation and the period of lock down.
By a summary order dated May 18, 2020, the French Council of State (“Conseil d’Etat”) enjoined the State to cease, without delay, to implement surveillance measures in Paris using drones in order to monitor compliance with health security rules applicable during the deconfinement period. The Council of State ruled that these drones were being used outside the framework provided for by the French Data Protection Act and were a serious and manifestly unlawful infringement of the right to privacy. The CNIL has also questioned these practices and has carried out investigations with the French Ministry of the Interior concerning the use of drones in several cities.
For further information: CNIL Website
05/07/2020 – French Supervisory Authority | Employers | Covid-19
The French Supervisory Authority (CNIL) updated its publication on its website related to the collection of personal data by employers in order to adapt them to the measures implemented during deconfinement.
The CNIL notably provides details on certain employer practices: temperature readings at the entrance, implementation of serological tests and health status questionnaires, as well as business continuity plans.
For further information: CNIL Website
05/22/2020 – Irish Supervisory Authority | Twitter | Draft decision
The Irish Supervisory Authority (DPC) indicated it has submitted a draft decision on the investigation against Twitter International Company to the other concerned supervisory authorities.
The draft decision relates to Twitter International Company’s compliance with Articles 33(1) and 33(5) of the GDPR related to personal data breach notification obligations. The draft decision has been submitted to the other concerned supervisory authorities in the context of the cooperation procedure provided by Article 60 of the GDPR. In its press release, the DPC also presents the status of other ongoing investigations.
For further information: DPC Website
05/01/2020 – Irish Supervisory Authority | Data Breach
The Irish Supervisory Authority (DPC) published advice on its website on how to avoid data breaches.
For further information: DPC Website
05/07/2020 – Italian Supervisory Authority | FAQs | COVID-19
The Italian Supervisory Authority published on its website a FAQ on the processing of personal data in the context of the Covid-19 pandemic.
The FAQs notably cover the data processing carried out by employers, schools and in the field of health care, clinical trials and medical research.
For further information: Italian Supervisory Authority Website |IAPP Website
05/07/2020 – Dutch Supervisory Authority | Investigation | Minors | TikTok
The Dutch Supervisory Authority is investigating whether the TikTok application complies with privacy regulations, in particular on the processing of personal data of minors.
The investigation notably aims to determine whether the information provided to minors when downloading and using the application is easy to understand and sufficiently explains how personal data are processed. The authority is also analyzing TikTok’s compliance with parental consent requirements.
For further information: Dutch Supervisory Authority Website | IAPP Website
05/12/2020 – Swedish Supervisory Authority | Sanction | Sensitive data
The Swedish Data Protection Authority has imposed a fine of SEK 120,000 (around €11,000) on the Healthcare Committee in Region Örebro County following the publication on the region’s website of sensitive data about a patient.
The authority’s investigation revealed in particular that the Healthcare Committee had not taken sufficient organizational measures to ensure that personal data were protected from being wrongfully published on the region’s website.
For further information: EDPB Website
05/20/2020 – UK Supervisory Authority | Guidance | Artificial Intelligence
The UK Supervisory Authority (ICO) published a guidance, developed with the Alan Turing Institute, presenting practical advice for organizations to help explain to individuals the processes, services and decisions provided or assisted by artificial intelligence.
For further information: ICO Website
05/07/2020 – UK Supervisory Authority | Statement | Adtech
In a statement, the UK Supervisory Authority (ICO) indicated that it had decided to suspend its investigations into real-time bidding and the Adtech industry.
For further information: ICO Website
05/05/2020 – UK Supervisory Authority | Priorities
The UK Supervisory Authority (ICO) published on its website the priorities for the upcoming months.
In the upcoming months, the authority’s activity will focus notably on the protection of vulnerable citizens, the development of good practices in the field of artificial intelligence, as well as on transparency.
For further information: ICO Website | ICO Publication
05/04/2020 – UK Supervisory Authority | Guidelines | Contact tracing applications
The UK Supervisory Authority (ICO) published a notice in which it sets out how contact tracing applications can be developed in accordance with the principles of privacy by design and privacy by default.
For further information: ICO Statement | ICO Publication
05/20/2020 – Cyberattack | EasyJet
The Nextinpact website reports that EasyJet company suffered a cyber attack that led to the data leakage of 9 million customers.
For further information: Nextinpact Website
05/14/2020 – Court of Justice of the European Union | Schrems II Case
The IAPP website reports that the Court of Justice of the European Union has announced on Twitter that the judgment in case C-311/18 – Facebook Ireland and Schrems, known as ‘Schrems II’, will be issued next 16 July.
For further information: IAPP Website
05/13/2020 – Austrian Supervisory Authority | Complaint | NOYB Association | Google
The IAPP website reports that the NOYB association has lodged a complaint against Google before the Austrian Supervisory Authority concerning the Android advertising identifier installed by Google on mobile devices without the users’ consent.
For further information: IAPP Website
This newsletter has been prepared by the Technology & Innovation team of the Paris office. For further information, you may contact us by email:
© 2020 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.