Gibson Dunn | Europe | Data Protection – September 2020

September 8, 2020

Click for PDF

Personal Data Watch

European Union

08/10/2020 – European Commission and US Department of Commerce | Statement | Privacy Shield

The US Department of Commerce and the European Commission have initiated discussions to evaluate the potential for a new version of the Privacy Shield that would be compliant with the requirements of the Schrems II ruling.

For further information: Joint Press Statement


08/31/2020 – CBelgian Supervisory Authority | Report

The Belgian Supervisory Authority has published a report on the understanding of the GDPR by small and medium-sized enterprises (SMEs).

The report indicates that, in general, SMEs knowledge and understanding is not equally advanced in all areas of the GPDR. The report mentions that SMEs mainly have difficulties with the data retention periods, the records of processing activities, data processing agreements with third parties, and the principles of data protection by design and by default.

For further information: Belgian Supervisory Authority Website


08/20/2020 – Danish Supervisory Authority | Statement | Data breach

The Danish Supervisory Authority discovered at the beginning of August that a data breach had occurred on its own premises.

The authority stated that physical documents containing confidential and sensitive information about citizens had been thrown away by an employee as ordinary waste, without being shredded. Data protection adviser, Mia Staal Klintrup, indicated that it does not appear that personal data was disclosed to unauthorized persons. The authority declared it had strengthened its procedures.

For further information: Danish Supervisory Authority Website

08/10/2020 – Danish Supervisory Authority | Guidance | Records

The Danish Supervisory Authority updated its guidance on records of processing activities.

For further information: Danish Supervisory Authority Website

08/04/2020 – Danish Supervisory Authority | Sanction | Security measures

The Danish Supervisory Authority proposed to fine an asset management company DKK150,000 (around €20,000) for failing to have proper security measures in place.

The concerned company inadvertently transmitted personal data to tenants.

For further information: Danish Supervisory Authority Website


08/28/2020 – French Supervisory Authority | Alert | “Pulse Secure” | Data security

The French Supervisory Authority (CNIL) has been informed of a data breach relating to several non-updated versions of the “Pulse Secure” products, used by a large number of organizations to secure their employees’ network connections. It alerts on the need to update these tools.

“Pulse Secure” is a tool enabling the creation of a Virtual Private Network (VPN) intended to secure exchanges between machines remotely connected to a corporate network. The CNIL has recently been informed of a vulnerability affecting non-updated versions of certain Pulse Secure products. Confidential information concerning more than 900 companies worldwide was published on a forum early August (IP addresses of vulnerable servers, list of users, identifiers and passwords).

In this context, the CNIL recommends that the concerned organizations install the update, renew all the passwords used on their systems and carry out audits of their information systems.

For further information: French Supervisory Authority Website

08/27/2020 – French Supervisory Authority | Formal Notice | Access Card Readers | Excessive data collection

The President of the French Supervisory Authority (CNIL) recently issued a formal notice to several organizations using access card readers to bring their time and attendance control devices into compliance with the GDPR.

In 2018, the CNIL received six complaints from public officials and private companies’ employees regarding the installation by their employer of access card readers in their workplace which systematically take a photo at each entry.

The President of the CNIL considered that the use of such systems infringed the minimization principle. In this context, the President of the CNIL issued a formal notice to the concerned organizations to bring their time control systems into compliance with the GDPR within three months.

For further information: French Supervisory Authority Website

08/06/2020 – French Decree | Targeted advertising

The French Decree n° 2020-983 authorizing targeted advertising on television has been published.

Since its entry into force on 7 August 2020, it is possible to broadcast targeted advertising on television, according to certain criteria, notably geographical or related to the viewers’ profile.

For further information: Legifrance Website

08/05/2020 – French Supervisory Authority | Sanction | Minimization principle and data retention period | Lead Supervisory Authority

The French Supervisory Authority (CNIL) sanctioned a company specialized in the online sale of shoes to a fine of €250,000 for non-compliances with the principle of data minimization and the rules relating to data retention periods.

The investigation of the CNIL revealed non compliances related to the processing of customer, prospect and employee data. The CNIL considered excessive the recording of all phone calls received by the customer service, the recording of customers’ bank details communicated when orders were placed by phone, and the collection, in Italy, of customers’ “health cards” as part of the fight against fraud.

In addition, the company had no retention period in place for customers’ and prospects’ data. Despite the five-year retention period set since the CNIL investigations, GDPR non compliances were identified. The CNIL also noted non-compliances relating to the information provided in the website’s privacy policy and the information provided to employees regarding the recording of phone calls.

Finally, the company did not ensure data security notably because it should have imposed the use of stronger passwords.
This is the first sanction decision taken by the CNIL as the “lead supervisory authority”.

For further information: French Supervisory Authority Website


08/25/2020 – Baden-Württemberg Supervisory Authority | Recommendations | Schrems II

The Baden-Württemberg Supervisory Authority has issued recommendations and a checklist on international data transfers following the Schrems II ruling.

The Baden-Württemberg Supervisory Authority recommends that companies should immediately make an inventory of all data transferred to third countries, determine whether there is an adequacy decision for that country and check whether standard contractual clauses may be used. For data transfers to the United States under standard contractual clauses, the authority requires additional protections like encryption, anonymization or pseudonymization of personal data. Of note, the guidance was subsequently updated on 7 September 2020.

The authority states that it is aware that the decision “may place extreme burdens on individual companies” and will monitor the situation as it evolves.

For further information: Baden-Württemberg Supervisory Authority Website

08/19/2020 – Federal Commissioner for Data Protection and Freedom of Information (BfDI) | Statement | Patient Data Protection Act

The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Professor Ulrich Kelber criticizes the new German Patient Data Protection Act for violating the GDPR.

In the BfDI’s opinion, the law has serious flaws and does not comply with GDPR requirements, especially when it comes to the introduction of an electronic patient record. He is joined by the German Data Protection Conference (Datenschutzkonferenz – DSK) which has issued a similar statement. The law is still in the legislative process and may be amended following such criticism.

For further information: BfDI Website | DSK Website

08/11/2020 – German Federal authorities | Draft Catalogue | Security of telecommunication and data processing systems

The Office for Information Security announced that the Federal Network Agency has published a draft catalog of security requirements for the operation of telecommunications and data processing systems, developed in collaboration with the BSI and the German Federal Commissioner for Data Protection and Freedom of Information.

The draft catalog will be submitted to the European Commission.

For further information: BSI Website


08/27/2020 – Norwegian Supervisory Authority | Sanction | Processing incompatible with the initial purpose and non-compliance with retention periods

The Norwegian Data Protection Authority fined the Norwegian Public Roads Administration NOK 400,000 (approx. €38,000) for processing personal data for purposes incompatible with the initial purpose and for failing to erase camera recordings after 7 days.

For further information: Norwegian Supervisory Authority Website


08/11/2020 – Romanian Supervisory Authority | Recommendations | Remote working

The Romanian Supervisory Authority issued recommendations on remote working in light of the COVID-19 pandemic.

For further information: Romanian Supervisory Authority Website


08/05/2020 and 08/19/2020 – Spanish Data Protection Agency | Vodafone

The Spanish Supervisory Authority (AEPD) imposed two fines of €75,000 and € 60,000, for unlawfully processing personal data.

According to the AEPD, after a request of deletion from a customer in 2015, the claimant continued to receive SMS marketing messages without a lawful basis. In a separate matter, another claimant alleged that Vodafone España processed and informed of a purchase that had not occurred, using the claimants personal and banking details. Vodafone obtained a combined €42,000 reduction of the fine after agreeing to a voluntary payment.

For further information: AEPD Website (I); AEPD Website (II)


08/18/2020 – Swedish Supervisory Authority | BCRs

The Swedish Supervisory Authority approved the Binding Corporate Rules (BCRs) adopted by Tetra Pak Group.

For further information: Swedish Supervisory Authority Website

United Kingdom

08/27/2020 – UK Supervisory Authority | Annual Track survey results

The UK Supervisory Authority has published the results of its annual survey of over 2,000 persons.

The survey aims to understand what people think about data protection and how they are seeking to exercise their rights.

For further information: ICO Website

08/12/2020 – UK Supervisory Authority | Sanction | Unsolicited emarketing communications

The UK Supervisory Authority (ICO) fined a company £100,000 (around €110,500) for instigating the transmission of unsolicited email communications for the purposes of direct marketing without consent.

The company, specialized in marketing segmentation, had instigated the transmission of more than 21 millions of unsolicited email communications between March 2017 and March 2018. The sanction includes a fine as well as an injunction to stop the processing to which the prospects have not consented.

For further information: ICO Website

08/11/2020 – London Court of Appeal | Ruling | Facial recognition cameras

The London Court of Appeal ruled that the implementation of facial recognition cameras by the Welsh police was unlawful.

While the Court of Appeal does not condemn the very principle of this solution, which consists of comparing images of individuals on the street with databases managed by local authorities, it considers the lack of framework as unlawful.

For further information: Ruling of the Court


08/24/2020 – SOMI | Complaint | TikTok

According to IAPP’s website, the Dutch privacy advocacy group (Stichting Onderzoek Marktinformatie) is planning to file a complaint against TikTok in relation to non-compliances related to children’s privacy and data transfers.

For further information: IAPP Website

08/20/2020 – Irish Supervisory Authority | Twitter

According to IAPP’s website, the Irish Supervisory Authority (DPC) followed for the first time the dispute resolution mechanism provided by the GDPR in a case involving Twitter.

The DPC had forwarded its draft decision regarding Twitter to the other EU supervisory authorities, which formulated a number of objections. The DPC has now referred the matter to the European Data Protection Board, which has up to two months to vote on a final decision.

For further information: IAPP Website

08/19/2020 – Class action | Marriott

According to IAPP’s website, a journalist filed a class action against Marriott over damages from the 2018 data breach.

All 7 million UK individuals affected by the breach are looped into the filing unless they opt-out.

For further information: IAPP Website

08/17/2020 – NOYB | Complaints | Schrems II

According to None of Your Business’ (NOYB) website, the organization filed 101 complaints, concerning companies that continue to forward data to US companies that have not reviewed their appropriate safeguards following the Schrems II decision.

For further information: NOYB Website

08/14/2020 – The Privacy Collective | Class action

According to Euronews’ website, the Privacy Collective is notably suing Oracle for alleged violations of the GDPR.

The collective claims that the concerned companies have engaged in ‘real-time bidding’, a practice of auctioning off consumer profiles without the consent of the concerned individuals. Legal action is to be brought before the courts of Amsterdam and London.

For further information: Euronews Website

08/12/2020 – French Supervisory Authority | Investigation | TikTok

According to OneTrust’s website, the French Supervisory Authority (CNIL) opened an investigation regarding TikTok.

The investigation allegedly follows a complaint from a TikTok user requesting the deletion of a video by the social network. An agent of the CNIL reportedly stated that the investigation is now being conducted as part of the European effort to investigate TikTok. The authority is looking in particular at the information provided to the users and the measures taken with regard to minors.

For further information: OneTrust Website

08/10/2020 – Irish Supervisory Authority | TikTok

According to IAPP’s website, TikTok plans to build a data center in Ireland. The Irish Supervisory Authority is reportedly assessing whether the company qualifies for the one-stop-shop mechanism under the GDPR.

For further information: IAPP Website

This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:

© 2020 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.