Weekly Newsletter: 11 January – 15 January 2021
GDPR EU Representative

January 18, 2021

Lower Saxony: LfD issues €10.4M fine against notebooksbilliger.de for employee video monitoring without a legal basis

[#GDPRfine #GDPRGermany]

“The Lower Saxony data protection authority (‘LfD Niedersachsen’) issued, on 8 January 2021, a €10.4 million fine against notebooksbilliger.de AG for video monitoring its employees for over two years without any legal basis. In particular, the LfD Niedersachsen noted that the cameras recorded workplaces, sales rooms, warehouses, and common areas, among other places, and that notebooksbilliger.de claimed that the aim of the video camera installation was to prevent and investigate criminal offences and to track the flow of goods in the warehouses.

[…] the LfD Niedersachen noted that this was the largest fine it had ever issued under the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), and that this fine is not yet legally binding. In addition, the LfD Niedersachsen stated that notebooksbilliger.de has now legally designed its video surveillance and has proven this to the LfD Niedersachsen.”

To read more: Click here.

Read the press release here (only in German).

How to reclaim your data from Google, Facebook, Microsoft, Apple under GDPR

[#SocialNetworks #DataPrivacy #SharingPersonalData]

“Over the past couple of years, you’ve probably be inundated by emails and notifications asking if you’re happy for companies to keep sending you marketing messages. The reason for this sudden obsession with small print is, of course, the General Data Protection Regulation (GDPR), which came into force in May 2018

The regulation, which has been described as “the most important change in data privacy regulation in 20 years”, sets out to give individuals greater control of their personal data that’s held by third-parties, such as retailers or social networks.

Given how eager many firms have been in abiding to the sweeping privacy changes, unsurprising give the fact they can be fined up to £500,000 by the Information Commissioner’s Office (ICO) for non-compliiance, we thought we’d look at exactly how web companies responded to the new rules and how you can now view, manage and reclaim the personal data that’s been collected about you.”

To read more: Click here

EDPS Inspection Software: Website Evidence Collector

[#EDPS #WebsiteEvidenceCollector #InspectionSoftware #WebsiteDataProcessingOperations]

“The European Data Protection Supervisor (EDPS) has developed open source software tools for the automation of privacy and personal data protection inspections of websites.

The EDPS releases its tool Website Evidence Collector under the European Union Public License (EUPL-1.2). The software is available for download via this webpage (see download link below), on the European Commission’s collaborative platform Joinup and on the popular development platform GitHub.

The tool collects evidence of personal data processing, such as cookies, or requests to third parties.

[…] This EDPS tool allows laypersons after a brief introduction to gather evidence on personal data processing operations of websites using a reproducible, reliable, and fast method. No third-party cloud service is involved to gather evidence. The tool is self-consistent and can be used in intranets without internet access. The open software license allows experts to adapt the tools to their own needs.”

To read more: Click here

Facebook case: the Advocate General of the CJEU has delivered his opinion

[#BelgianDPA #AdvocateGeneralCJEU #CJEU #OneStopShop]
“Today January the 13th, the Advocate General of the Court of Justice of the European Union (CJEU) has delivered his opinion in the case opposing Facebook and the Belgian Data Protection Authority.

[…] The GDPR does establish a new cooperation mechanism between European data protection authorities called the “one-stop shop”. This mechanism provides that the authority of the country where the main establishment of the respondent company is located (in the case of Facebook, the Irish DPC) is competent to take sanctions.

The question therefore arises as to whether this one-stop shop mechanism also affects the possibility for data protection authorities (such as the BE DPA) to initiate proceedings before a court or not.

[…] a national authority which is not the lead authority for a cross-border data processing operation may indeed apply to a national judge under certain conditions, namely «in the situations where the GDPR specifically confers upon it competences to this end. » (Source: Press release CJEU)

To read more: Click here

Spain: AEPD fines CaixaBank €6M for consent and information failures

[#AEPD #GDPRfines #SpainGDPR]
“The Spanish data protection authority (‘AEPD’) issued, on 13 January 2021, a resolution in proceeding PS/00477/2019, fining CaixaBank S.A. €6 million for violating Articles 6, 13, and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).

[…] the resolution highlights […] that the information provided by CaixaBank in different documents and channels was not uniform, imprecise terminology was used within the privacy policy, and information about the category of personal data processed, profiles made of users and specific uses of the same, as well as the exercise of rights and data retention periods, was insufficient.

Furthermore, […] CaixaBank did not provide sufficient justification of the legal basis for the processing of personal data, especially in relation to the data processed on the basis of legitimate interest, and did not comply with the requirements for obtaining valid consent, namely, to be specific, unequivocal, and informed.”

To read more: Click here

Read the resolution here (only in Spanish).