Weekly Newsletter: 18 January – 22 January 2021
GDPR EU Representative

January 25, 2021

EDPB & EDPS adopt joint opinions on new sets of SCCs

[#EDPB #EDPS #SCCs #DataTransfers #ThirdCountryDataTransfer]

“The EDPB and EDPS have adopted joint opinions on two sets of contractual clauses (SCCs). One opinion on the SCCs for contracts between controllers and processors and one on the SCCs for the transfer of personal data to third countries.
The Controller-Processor SCCs will have an EU-wide effect and aim to ensure full harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors.

[…] Wojciech Wiewiórowski, EDPS, said: ‘Given our practical experience, we have made these comments to improve these SCCs with a view to fully ensure that personal data of EU citizens is afforded an essentially equivalent level of protection when transfers to third countries take place. We believe these suggestions and amendments are crucial in order to achieve these aims in practice.'”

To read more: Click here.

EDPB adopts Guidelines on examples regarding data breach notification

[#EDPBGuidelines #EDPB #DataBreachNotification]

“The EDPB adopted guidelines on examples regarding data breach notification. These guidelines complement the WP29 guidance on data breach notification by introducing more practice orientated guidance and recommendations. They aim to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment.

The guidelines contain an inventory of data breach notification cases deemed most common by the national supervisory authorities (SAs), such as ransomware attacks; data exfiltration attacks; and lost or stolen devices and paper documents. Per case category, the guidelines present the most typical good or bad practices, advice on how risks should be identified and assessed, highlight the factors that should be given particular consideration, as well as inform in which cases the controller should notify the SA and/or notify the data subjects. The guidelines will be submitted for public consultation for a period of six weeks.”

Find the guidelines here.

To read more: Click here

GDPR: German laptop retailer fined €10.4m for video-monitoring employees

[#GDPRfine #GermanyGDPR #EmployeesVideoMonitoring]

“The data regulator for the German state of Lower Saxony has fined a local laptop retailer a whopping €10.4 million ($12.5 million) for keeping its employees under constant video surveillance at all times for the past two years without a legal basis. The penalty represents one of the largest fines imposed under the 2018 General Data Protection Regulation (GDPR) not only in Germany but across Europe as well.

The recipient is notebooksbilliger.de AG (doing business as NBB), an online e-commerce portal and retail chain dedicated to selling laptops and other IT supplies.

[…] ‘Companies must understand that with such intensive video surveillance they are massively violating the rights of their employees.’

[…] This is the second fine that the same LfD office has imposed on a company for video monitoring employees. The Hamburg-based data regulator previously fined fashion retail store chain H&M €35.3 million ($42.6 million) last October for a similar offense of keeping employees under constant video surveillance.”

To read more: Click here

UK ICO Provides Clarity Regarding Transfers of Personal Data to the SEC

[#ICO #UKDataProtectionLaw #DataTransfers]

“On January 19, the UK Information Commissioner’s Office (ICO) published its analysis of the impact of UK data protection law on transfers of personal data from certain UK-based firms to the SEC. Specifically, the ICO considered the application of the UK General Data Protection Regulation (UK GDPR) to transfers from UK-based firms or branches that are registered, required to be registered, or otherwise regulated by the SEC, including investment advisers and securities-based swap dealers. In addition, the ICO reviewed the application of the UK GDPR to transfers from UK issuers that have equity securities or depositary receipts registered with the SEC and listed on a US exchange or market. The ICO concluded that the UK GDPR does not impose legal barriers to the transfer of personal data from these entities directly to the SEC for regulatory or enforcement purposes.”

To read more: Click here


Nowhere To Hide: Controllers have “Constructive Awareness” Of Processor Data Breaches

[#DPC #DataBreach]

“On December 15, 2020, Ireland’s Data Protection Commission (“DPC”) announced its decision to fine Twitter International Company (“Twitter”) €450,000 for failing to notify the DPC promptly of a data breach affecting EU personal data in compliance with the EU General Data Protection Regulation (“GDPR”). […] the significance of the decision really lies in the message that Controllers cannot escape their breach notification obligations due to failures on the part of their Processors.

[…] The DPC, however, determined that a Controller could not excuse delayed notification of a breach on the basis of a failure on the part of its Processor. Although the DPC noted that, in line with EU authorities’ GDPR data breach guidance, a Controller should be deemed to “become aware” of the breach when it is notified of it by the Processor, the Controller has a responsibility to ensure that it has sufficient measures and an effective process in place to facilitate prompt awareness and the timely notification of data breaches including where the processing is outsourced to a Processor.”

To read more: Click here.

CJEU’s advocate general: One-stop shop means one-stop shop

[#OneStopShop #AdvocateGeneral #Facebookcase #BelgianDPA]

“On Jan. 13, 2021, Court of Justice of the European Union Advocate General Michal Bobek issued his Opinion in case 645/19 opposing Facebook to Belgium’s Data Protection Authority. The opinion has been widely covered in the media, with reports that the advocate general will allow ‘any EU country to take legal action against Facebook or any other tech firm,’ therefore undermining the one-stop-shop enforcement mechanism of the EU General Data Protection Regulation.
Contrary to media reports, the advocate general’s opinion fully upholds the one-stop shop, under which the DPA of the ‘main establishment’ of a company in the EU has a general competence to oversee cross-border processing activities, which includes the competence to bring litigation against the company.

[…] According to the advocate general, the one-stop shop set up by the EU legislators must be given a chance, and if the one-stop shop later proves to be failing to protect individuals, then ‘the entire system would be ripe for a major revision.’ So, the entire one-stop shop might be overhauled some day but not now.”

To read more: Click here.

Data transfers to the US and insufficient cookie information: noyb files complaint on behalf of six MEPs against the European Parliament.

[#OneStopShop #AdvocateGeneral #Facebookcase #BelgianDPA]

“Today, noyb filed a complaint against the European Parliament on behalf of six MEPs. The main issues raised are the deceptive cookie banners of an internal corona testing website, the vague and unclear data protection notice, and the illegal transfer of data to the US.

[…] The EDPS will now analyse the additional submissions made by noyb and should issue a decision on the matter in due course. The complaint before the EDPS also potentially allows direct access to the highest European court. A decision can be directly challenged before the European Court of Justice (ECJ). This means that fundamental questions of European data protection law can also be clarified with a simple complaint about an EU website.”

To read more: Click here.