Gibson Dunn | Europe | Data Protection – May 2020

May 4, 2020

Click for PDF

Personal Data Watch

European Institutions

04/28/2020 – Council of Europe | Statement | COVID-19 | Digital contact tracing

In a joint statement, the Chair of the Council of Europe’s data protection “Convention 108” committee and the Council of Europe’s Data Protection Commissioner have warned of the possible side effects of digital contact tracing applications and call for adequate safeguards to prevent risks to personal data and privacy.

Aimed at contributing to deliberations currently underway in many countries, the joint statement has been issued in order to remind that strict legal and technical safeguards need to be put in place before implementing digital contact tracing measures (such as conducting impact assessments and audits, complying with the privacy by design and data minimization principles, ensuring systems’ security and temporariness of the processing). This statement follows a first Joint Declaration on the right to data protection in the context of the COVID-19 pandemic issued on 30 March.

For further information: Publication Council of Europe | Council of Europe Website

04/21/2020 – EDPB | Guidelines | COVID-19 | Health data processing and tracing tools

The European Data Protection Board (EDPB) adopted guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak, as well as guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak.

Exceptionally, these guidelines will not be subject to public consultation due to the emergency of the current situation. The guidelines on the processing of health data for research purposes focus on the most urgent legal issues regarding the use of health data (in particular, legal basis of the processing, further processing of health data for scientific reseach purposes, implementation of adequate safeguards, exercise of data subjects’ rights).

The guidelines on geolocation and other tracing tools clarify, inter alia, the conditions and principles for the use of location data and contact tracing tools. The guidelines underline that both the GDPR and the ePrivacy Directive include provisions to support authorities and actors in the fight against the spread of COVID-19. Furthermore, the EDPB clarifies that the opinion expressed in its letter of 14, 2020 adressed to the European Commission is maintained, i.e., the use of contact tracing applications should be on a voluntary basis and not based on the search of individual movements. As an annex to the guidelines, the EDPB adopted a guide for contract tracing applications in order to provide guidance to the developer and users of these applications.

For more information: Website EDPB | Guidelines 03/2020 | Guidelines 04/2020 | Gibson Dunn Client Alert

04/17/2020 – European Commission | Orientations | COVID-19 | Apps

The European Commission published guidance on applications supporting the fight against COVID-19.

The guidance sets out the criteria and requirements that applications must meet in order to ensure compliance with data protection regulations (e.g., retention of control by users, applicable legal basis, data minimization principle). The guidance applies only to applications used on a voluntary basis in the fight against COVID-19.

For further information: Publication European Commission | Website IAPP

04/14/2020 – EDPB | Publication | COVID-19 | Apps

The European Data Protection Board (EDPB) published on its website a letter addressed to  the European Commission regarding its draft guidance on apps supporting the fight against the COVID-19.

In this letter, the EDPB supports a “pan-european and coordinated approach” for the use of mobile application. In particular, the EDPB underlines that each technical solution must “be examined on a case-by-case basis” and that the development of applications will have to be documented by a data protection impact assessment indicating that the principles of privacy by design and privacy by default have been implemented.

For further information: Website EDPB

04/08/2020 – European Commission | Recommendation | Containment Exit Strategy

The European Commission issued a recommendation on containment exit strategies using mobile data and applications.

The European Commission is willing to develop a common European approach for the use of mobile applications and data in the fight against the pandemic. The aim of this recommendation is to present a “toolbox” for the implementation of this common approach, including principles for the use of such applications and data.

For further information: Website European Commission | Recommendation European Commission


04/30/2020 – Belgian Supervisory Authority | Opinion | COVID-19 | Tracing apps and databases

The Belgian Supervisory Authority issued an opinion on two preliminary draft Royal Decrees on the use of tracing applications and on the creation of a database to prevent the spread of the coronavirus.

In its opinion, the authority reminds that the necessity and proportionality of the tracing applications and database creation should be demonstrated. Furthermore, such projects must provide additional guarantees for individuals (e.g., no cross-checking between databases).  Besides, the authority recalls that any tracing application must comply with the rules and specifications defined by the European Data Protection Board (EDPB), which has recently issued guidelines in that respect. Finally, the authority highlights that the preservation of public health is not incompatible with the right to privacy.

For further information: Belgian Supervisory Authority website


04/30/2020 – French Supervisory Authority | Recommendation | Publicly available data

The French Supervisory Authority (CNIL) published on its website recommendations regarding the reuse for commercial purposes of publicly available data, accessible online and collected in particular through web scraping.

As the CNIL regularly receives complaints regarding certain companies’ practices which collect publicly available data from websites for marketing purposes, the CNIL reminds that, even if such data are publicly available, they cannot be freely used without complying with the applicable regulations.

The CNIL specifies that, when the individuals have shared their personal data with a company and are not reasonably expecting to receive marketing materials from another company, the reuse of their data for marketing purposes would be possible only with their free, specific, informed and unambiguous consent. Furthermore, the CNIL reminds the good practices to be put in place before using data mining software, including verifying the nature and origin of the data, minimizing data collection and informing the individuals.

For further information: CNIL Website

04/24/2020 – French Supervisory Authority | Decision | “StopCovid” Application

The French Supervisory Authority (CNIL) adopted a decision on the project of mobile application “StopCovid” which is a contact tracing application based on Bluetooth technology (not using geolocation technology) alerting its users in the event of contact with an individual tested positive for COVID-19.

First, the CNIL welcomes the fact that the intended tool would be based on a voluntary approach. In addition, in line with the guidelines of the European Data Protection Board, it considers that the performance of a task of public interest would be the most appropriate legal basis (Art. 6-1-e of the GDPR). For the specific processing of health data, the CNIL considers that the processing would be necessary for reasons of public interest in the area of public health (Art. 9-2-i of the GDPR). The CNIL thus recommends that the use of a voluntary contact tracing application should be covered/regulated by a specific French legal provision.

Finally, the CNIL provides specifications, in particular, regarding the status of data controller (which should be the French Health Ministry or any other health authority involved in the health crisis management), the necessity of a data protection impact assessment, the importance of data accuracy and data security, as well as the respect of data subjects’ rights.

For further information: CNIL Website

04/17/2020 – French Supervisory Authority | Continuity of activities | Current Health Context

The French Supervisory Authority (CNIL) clarifies how it is carrying out its activity in the context of health emergency.

With regard to professionals, the CNIL specifies how it handles requests for opinions and authorizations from professionals, in particular by giving priority to processing activities related to COVID-19. With respect to complaints and claims, the CNIL specifies in particular that response times have been extended. Priority is given to cases related to processing implemented in the context of the epidemic. In principle, the entities concerned by the complaints will be able to respond to the CNIL requests by August 24, 2020 at the latest, unless the CNIL requires shorter deadlines.

Concerning control and sanction procedures, the CNIL specifies that only situations which seriousness requires urgent investigations will give rise to controls, including online. In addition, new deadlines have been introduced for compliance with formal notices and for the observations made in the framework of sanction procedures. However, the CNIL specifies that it may initiate proceedings within shorter deadlines, for example, in the event of a serious violation of individuals’ rights.

For further information: CNIL Website

04/15/2020 – French Supervisory Authority | Standard | Human Resources Management

The French Supervisory Authority (CNIL) published the standard applicable for the processing of personal data carried out for human resources management purposes.

This standard is addressed to private and public employers. It is a compliance tool for processing related to human ressources management such as recruitment and payroll. The publication of the standard is associated with a Q&A in order to answer questions from professionals. Certain processing activities are excluded from the scope of the standard (for example, access control using biometric technologies, professional alert systems, CCTV).

For further information: CNIL Website | Q&A |CNIL Standard

04/09/2020 – French Supervisory Authority | Advice | Video conference tools

The French Supervisory Authority (CNIL) published on its website advices on the use of video conferencing tools.

The advices are mainly addressed to users and cover three different phases: before downloading the application, when registering for the service and when using the service.

For further information: CNIL website

04/08/2020 – French Supervisory Authority | New version of the PIA tool

The French Supervisory Authority (CNIL) made available a new version of its PIA tool.

For further information: CNIL website

04/06/2020 – French Supervisory Authority| Closure of the formal notice | Boutique.Aéro

The President of the French Supervisory Authority (CNIL) decided the closure of the formal notice sent to the company Boutique.Aéro.

The company has already complied with the first level of the formal notice regarding its video device and security measures. The CNIL now notes that the company duly implemented measures to comply with the requirements of the second level (in particular, drawing up a register of processing activities, informing employees about CCTV, signing a data protection charter with subcontractors). The company had 2 months to comply with these measures.

For further information: CNIL website


04/09/2020 – German Supervisory Authority | Baden-Wurttemberg | Data processing agreement

The German Data Protection Authority (Baden-Württemberg) published a model of data processing agreement in accordance with Article 28(3) of the GDPR.

This model has still to be reviewed by the European Data Protection Board.

For further information: German Supervisory Auhtority (LfDI) | Template in English


04/03/2020 – Irish Supervisory Authority | Advices | Video conference

The Irish Supervisory Authority (DPC) published on its website guidance for users and businesses on the use of video conferencing tools.

For further information: DPC website


04/29/2020 – Italian Supervisory Authority | Opinion | Tracing apps

The Italian Supervisory Authority has issued an opinion on the legislative project on contact tracing applications.

For further information: Italian Supervisory Authority


04/30/2020 – Swedish Supervisory Authority | Sanction | Data breach

The Swedish Supervisory Authority has imposed a fine of 18,700 € on the National Government Service Centre (NGSC) for failing to notify a data breach in due time.

In particular, the authority found that the NGSC took almost five months to notify the concerned parties and close to three months before the authority received a data breach notification.

For further information: EDPB Website

United Kingdom

04/24/2020 – UK Supervisory Authority | Statement | Tracing tool | NHS

The UK Supervisory Authority (ICO) issued a statement in which it recognizes the vital role that data can play in tracking pandemic and announced that it has been working with the NHS, which will be lauching a contact-tracing app in the coming weeks.

For further information: ICO Statement | NHS Website

04/17/2020 – UK Supervisory Authority | Blog | Tracing tool

The UK Supervisory Authority (ICO) published on its blog a series of simple questions to be taken into account to ensure that the privacy concerns are properly considered when using digital tracing tools. In particular, it relates to the necessity and proportionality of the collection of personal data and the users’ control over their data.

For further information: ICO Website

04/17/2020 – UK Supervisory Authority | Opinion | Tracing tools | Google | Apple

The UK Supervisory Authority (ICO) issued an opinion on the joint initiative by Google and Apple to enable the use of Bluetooth technology in contact research applications and help governments and public health authorities to limit the spread of COVID-19.

For further information: ICO’s Opinion

04/15/2020 – UK Supervisory Authority | Statement | Activites

The UK Supervisory Authority (ICO) issued a statement outlining its approach during the coronavirus pandemic.

In its statement, the ICO notably indicated that it is willing to take into account the exceptional circumstances.

For further information: ICO website |ICO’s statement

04/08/2020 – UK Supervisory Authority | Statement | Investigation

In a statement, the ICO states that it has recently identified an increase in complaints about nuisance marketing clearly aimed at preying on people’s fears.

The authority warns that it is prepared to investigate any company taking advantage of the current pandemic.

For further information: ICO website

04/07/2020 – UK Supervisory Authority | Investigation | Marriott | British Airways

The and IAPP sites report that, according to the financial reports of British Airways and Marriott, the decisions of the ICO have been postponed to May 18, and June 1, respectively.

For further information: Website IAPP

This newsletter has been prepared by the Technology & Innovation team of the Paris office. For further information, you may contact us by email:

© 2020 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.