A pre-checked checkbox is not enough
Court of Justice of the European Union (CJEU) decided that website user did not given his/her consent to the processing of his/her cookies if he/she only “agreed” with a pre-checked checkbox including the information on consent to the processing of user cookies (the check would need to be unchecked by the user in order to refuse to give the consent).
CJEU emphasized that the consent to the processing of cookies may be given by any appropriate method enabling a freely given specific and informed indication of the user’s wishes. In this particular case, the user selected the button to participate in the promotional lottery and by this method gave his consent to the processing of cookies. In this regard, CJEU decided that it is not an expressly given consent since the user primarily agreed with something else than the processing of cookies.
Besides, CJEU wrote that the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.
Conclusions in the above judgment are not new – these conclusions were already introduced by the European Data Privacy Board in its opinions. However, these opinions are not formally binding (from a legal point of view), although being normally used as an interpretation source. Thus, the CJEU case law fill in certain legal gap in the situation where the bill on new european legal regulation of e-privacy is not yet complete and, at the same time, confirm that the principles and policies of the GDPR are fully applicable in the field of the Internet.
The full wording of the judgment is here.
New form for notification of personal data breach under the GDPR
The Office for Personal Data Protection published on its website a new form for notification of personal data breach under the GDPR. Its content may help you gather all the necessary information regarding the personal data breach even in cases where you decide not to notify the Office.
The form is available here.
Using FaceID technology on construction site from the personal data protection perspective
The Office for Personal Data Protection carried out within its inspection authority an inspection, subject of which was a processing of personal data related to using facial recognition technology (FaceID) for identifying workers present on construction site (the inspection was carried out at a construction company). FaceID is a timesheet system allowing to record time of arrival and departure of individuals entering and leving the construction site based on facial recognition. Using this technology means that a special category of data – biometric data – is processed.
The Office found the usage of FaceID grounded in this case, whereas the legal ground for processing was compliance with legal obligation (in particular an employment-law obligation). The Office also said that this was a specific case where the inspected person was able to prove that the processing of biometric data is necessary to ensure protection on large construction site. The inspected person was not able to reach this goal by other, less invasive means at the same time, or more precisely the previously used less invasive means proved to be ineffective. However, the Office also pointed out that on usual circumstances, employers cannot rely on such legal ground when processing biometric data.
Taking also the above into consideration, we are of the opinion that this is an extraordinary and specific case since the technology in question, in line with the previous opinions of Working Party 29, constitutes an invasive interference with privacy of monitored subjects. Therefore, no rule that FaceID technology (or other similar technology) may be used on the basis of the fulfillment of a legal obligation as a legal ground for the processing of personal data could be inferred. The reasion is that in general, there are other and less invasive ways (e.g. running a reception, gatehouse, turnstiles, etc.) that can be used to ensure workplace safety.
Information on the inspection carried out are available at the Office website: https://bit.ly/2ocJhPN
HR News No. 4/ September 2019
In the course of the summer, new amendments to the Act on Residence of Foreign Nationals in the Czech Republic came into effect, along with a few of amendments to the Act on Employment. Due to tumultuous developments in the legislative procedure (and a fair number of amending proposals made by lawmakers throughout the deliberations), we have deemed it appropriate to review and sum up for you the changes to be on the lookout for.
Czech Ministry of Health proposes to legally restrict the alcohol ads
The Czech Ministry of Health is currently taking steps to restrict alcohol and cigarette consumption. Following the WHO, OECD and the global society survey data showing that the first alcohol and/or cigarette consumption comes with 12 years of age (in the Czech Republic, some surveys show even 9 years of age), the Ministry prepared a bill to increase the excise duty on alcohol by 13% which should be followed by a bill on advertising of alcohol. The bill should cover both TV and digital media and it should be inspired by similar legal regulations abroad, such as in Sweden. The national drug coordinator who closely cooperates with the Ministry of Health on this matter, said that advertising of alcohol should only be possible between 10 p.m. and 6 a.m. and it should be accompanied by a health warning. The bill should be completed by the end of this year and subsequently submitted for approval in the legislative process.
The Health Minister said that enlightenment in this field and regulation of its advertising are necessary for successful limitation of alcoholism and alcohol consumption in the future (Czechs are one of the most passionate drinkers in the world). Unlike tobacco products, where advertising is generally prohibited by law (adverts and sponsoring of tobacco products, the purpose of or direct or indirect effect of which is advertising of tobacco products, are prohibited), the field of alcohol advertising is much less regulated. The law currently limits only its contents – for example, it cannot encourage excessive consumption of alcohol, claim that alcohol has medical qualities, relaxing or stimulative effect, or create the impression that consuming alcohol positively affects social or sexual success. Aside from the above, alcohol may be advertised using any possible way, including the offer of free samples.
The GDPR: one year on
On Saturday 25 May 2019, the EU General Data Protection Regulation (GDPR), which aims to protect personal data including by introducing rules on how data is collected, stored, processed and destroyed, will have been in force for one year.
As 25 May 2018 approached, many organisations faced these new European privacy rules with increasing concern. One of the main reasons for this was undoubtedly the extremely high fines that can be imposed for breaches of the GDPR: the majority of infringements can be punished by a fine of up to EUR 20 million or 4% of total worldwide annual turnover for the previous financial year (the higher of the two). The level of fine imposed will depend on an assessment by the national data protection authority (DPA) of mitigating or aggravating circumstances listed in the GDPR including the nature, seriousness and duration of the infringement, whether the data involved was sensitive and any previous breaches.
A year on, with the first wave of decisions and fines now issued by a number of DPAs and investigations ongoing in others, it is interesting to examine the initial effects of the GDPR in the EU. Has it managed to enhance protection for people’s privacy? Did the concern expressed at its potential impact turn out to be justified? Are different trends emerging in different EU countries? These and other questions are discussed below, on a country-by-country level.
Austria
In Austria, first breaches of the GDPR can basically only be sanctioned by a warning; the Austrian DPA imposes fines from the second breach onwards.
So far three fines have been imposed by the Austrian DPA, all of which involved illegal video surveillance. The fines ranged from EUR 300 to 4800.
The Austrian Data Protection Act (Datenschutzgesetz 2000, ‘DSG’) has made use of the scope for making separate rules in Article 88 of the GDPR. Section 11 DSG (based on which the penalty provisions of Article 83 (2) to (6) GDPR are applied) was amended in such a way to ensure proportionality is maintained. Hence, particularly in the case of first-time infringements, the DPA will make use of its remedial powers in accordance with Article 58 of the GDPR, that is, by issuing a warning.
During the past year Austria has imposed very few fines. The DPA judgments issued since the new GDPR legislation came into effect have mainly concerned first findings of infringements and associated warnings. As far as can be anticipated, the DPA seems to stick to the approach described above, issuing a warning for first-time infringements. So far, the DPA seems not to have judged a breach of data protection to be severe enough to oblige it to impose fines right away.
One of the most recent DPA decisions from December 2018 shows an interesting trend regarding the definition of ‘the data subject’s right to deletion of data’ and whether anonymising by removing individual personal references to a person already satisfies the data subject’s righto deletion of data.
The Austrian DPA ruled that the data controllers (and not data subjects) have the right to choose the appropriate technical and/or organisational security measures for the retention of data and that the removal of individual references is, in principle, a legitimate way to comply with a request for deletion, since the GDPR does not apply to data without personal references (i.e. to anonymised information).
Birgit Vogt-Majarek, and Karoline Saak, Schima Mayer Starlinger
Belgium
The Belgian DPA has taken the time to inform the public of the consequences of the GDPR. It has confirmed that in the first half year of GDPR application, not a single fine was issued, although it has noted that some investigations are already ongoing.
The Belgian Act on the protection of physical persons with regard to the processing of personal data (‘Data Protection Act’) came into effect on 5 September 2018. Under the Data Protection Act, employers from the private sector will, in principle, not be able to retain an extract from the criminal records of employees or job applicants, unless one of the exceptions applies. Nevertheless, the DPA has indicated in the past that where an exception does not apply, the employer can ask a candidate to show an extract from his or her criminal records voluntarily, but the employer cannot take a copy, take notes from it or retain it.
There is no case law on the GDPR in an HR context yet. However, many questions have arisen, such as the use of photos of employees and biometric data. The Belgian DPA has confirmed that in principle, the processing of such data requires the employees’ consent.
The question of the admissibility of evidence obtained in breach of an employee’s privacy has been examined by Belgian case law: the Supreme Court has limited the situations in which such irregularly obtained evidence must be excluded. We are now waiting to find out whether or not the GDPR will influence this case law.
Inger Verhelst, and Isabelle De Somviele, Claeys & Engels
Bulgaria
One year after the entry into application of the GDPR, the Bulgarian Commission on Personal Data Protection (the ‘Commission’) has taken a rather mild approach to enforcement. The Commission’s most common enforcement practices include issuing warnings, official reprimands, and orders for bringing processing activities into compliance with the GDPR. In a few isolated cases, particularly where the personal data controller at fault has been especially non-cooperative, they have issued fines in the range of EUR 500 – 5,000, mostly for processing personal data without a sufficient legal basis under Article 6 of the GDPR. Proceedings before the Commission have usually been initiated on the basis of data subjects’ complaints.
Other than enforcement, the Commission has been preoccupied with issuing various statements on the GDPR’s application, conducting training, participating in conferences, and otherwise raising awareness on the new legal framework.
On the subject of legislation, the Commission took a significant role with respect to the amendments to the Bulgarian Personal Data Protection Act, promulgated in February 2019. Furthermore, in view of the general provisions of Article 32 GDPR on the required level of security, the Commission revoked Ordinance 1/2013 on the minimal level of technical and organisational measures and the permissible type of personal data protection, which used to impose specific obligations at a local level for Bulgarian controllers.
As of May 2019, the Commission has not issued any official statistics or estimates on the level of compliance of businesses and administrative bodies with the GDPR.
Deyan Terziev, Boyanov & Co
Croatia
The Croatian data protection authority (AZOP) has been among the most benevolent regulators in the EU. It has always concentrated on providing guidance and recommendations for compliance. Since the GDPR entered into effect, it has started conducting investigations, mainly in response to reports.
The AZOP publicised instructions on reporting data breaches along with a preferred reporting form. However, there is no publicly available information on any significant data breaches in Croatia or any fines imposed by the AZOP.
The General Data Protection Regulation Implementation Act was published in the Official Gazette No. 42/18. It contains additional restrictive provisions on the processing of genetic data and biometric data, as well as video surveillance, including in the workplace. For instance, in addition to the fines prescribed in the GDPR, a controller or a processor may be fined up to approximately EUR 6,730 for violating the provisions of the GDPR Implementation Act restricting video surveillance.
The national Labour Act and Work Safety Act also contain additional provisions on processing employee personal data, including on video surveillance. These provisions of the Labour Act predate the GDPR, but no amendments have been announced.
Different sector-specific laws and regulations also require certain categories of data about particular categories of data subjects to be stored or archived for maximum or minimum statutory periods.
In addition to the processing operations listed in Article 35(3) GDPR, the AZOP rendered a decision on processing operations requiring a data protection impact assessment (DPIA). The so-called ‘blacklist’ contains 13 types of processing which automatically require a DPIA.
There is no registration fee with the AZOP for controllers or processors. However, the AZOP will charge ‘commercial entities’ (such as law firms or consultants) for its opinions Data subjects, data protection officers, journalists, and public bodies are generally exempted from the fee, but the AZOP can charge a reasonable fee, depending on administrative costs or for unfounded, disproportionate, or excessively frequent requests.
The GDPR Implementation Act allows for so-called ‘class actions’ by non-profit organisations or associations acting in the public interest, protecting the rights and freedoms of data subjects.
GDPR is still causing confusion in the business sector. Although there is a general awareness of the GDPR and certain compliance requirements, our impression is that a significant share of the business and public sectors is not yet compliant, at least partially.
The AZOP has held numerous awareness events and presentations, particularly in 2018, while in 2019, it has published a number of opinions, recommendations and guidelines on the application of the GDPR. The most interesting and controversial topics include consent, the processing of children’s personal data, and processing in a marketing context.
Olena Manuilenko, Divjak Topić & Bahtijarević Law Firm
Cyprus
The Cyprus DPA has announced and started drastic inspections and audits in the public and private sectors but its aim is to give guidance and not to impose high fines, except for very serious issues or breaches.
From 25 May 2018 until the end of 2018, the Cyprus DPA received 281 complaints. It has been notified about 32 personal data breaches and issued four decisions with fines up to EUR 11,500. In the DPA co-operation system, 255 cross-border cases have been registered for which two decisions have been issued. The Cyprus DPA has stressed that it is within its tasks and powers to carry out inspections to monitor and enforce compliance.
Some recent decisions issued by the Cyprus DPA (February to April 2019) include a EUR 4,000 fine on an insurance company for unsolicited SMS advertising after eight complaints. In a similar case, a media company that published and processed personal data in breach of the GDPR was fined EUR 3.000 following five complaints.
On 31 July 2018 ‘Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018’ (Law 125(I)/2018) was published in the official gazette of the Cyprus Republic. The Law was adopted for effective implementation of the GDPR. Upon its entry into force, the previous national law on processing of personal data was repealed.
In Cyprus, the right to privacy is vested in the Constitution and is afforded the highest protection. The GDPR has strengthened the legal regime around privacy even further. Its entry into force has enhanced the previous legal privacy framework, but more importantly have raised awareness and managed to put compliance onto the agendas of board meetings, influencing workplace policies and procedures and employers’ attitude to employees’ rights and privacy.
The Cyprus DPA has issued opinions and guidelines on video surveillance at the workplace and the use of biometric systems, access to employees’ and former employees’ email and general guidance on monitoring in the workplace.
Exercising its power under Article 58(3)(b) of the GDPR, it has recently issued an opinion regarding workplace email monitoring, emphasising that the employer should ensure that work-related emails are also accessible from other sources. In addition, the employer could offer employees the option to have two email accounts, clarifying the distinction between emails for professional and private use, and reducing the likelihood of the employers violating employees’ privacy.
Doria Papanicolaou, George Z. Georgiou & Associates
Czech Republic
In the Czech Republic, there have not yet been any GDPR related court cases and only a few resolutions of the Office for Personal Data Protection (the ‘Office’) on breaches of GDPR. This is because the implementation law only became effective from 24 April 2019 and until that time the Office only issued warnings or recommendations. We nevertheless believe that the Office’s approach will be similar both in terms of sanctions and assessment of specific data privacy related situations to that adopted while the previous legal regulation was in force. Before GDPR, the Office did not fine employers for mistakes in data privacy documentation or processes or imposed very low fines (most were between EUR 100 and 1,000).
The Act on Personal Data Processing (‘Zákon o zpracování osobních údajů’) has been in effect from 24 April 2019. It does not include any specific employment law-related provisions. Therefore, employers, as data controllers, must comply mainly with the provisions of the GDPR and the Labour Code, which regulates monitoring of employees and recruitment rules. The new Act only contains minor exceptions, such as an amendment to the obligation of the controller to notify a data subject of a personal data breach or the exemption from the duty to perform a data protection impact assessment (DPIA) if the duty to process the personal data is stipulated by law.
The volume of GDPR-related information useful for employers currently available is substantially larger than what we had in May 2018. The Office for Personal Data Protection has published quite a lot of guides on the GDPR and issued several useful statements focused on specific matters, such as marketing, biometrics, employee’s consent, use of employee’s photos, the need to prepare a DPIA and more. The majority of employers are still dealing with GDPR-related problems and quite a number of them have not yet provided the relevant GDPR documentation to employees.
Irena Lišková, Randl Partners
Denmark
Even before 25 May 2018, it was clear that the Danish DPA would not impose large-scale GDPR fines from the beginning. Danish constitutional law means the Danish DPA cannot issue GDPR fines until the Danish courts have established an adequate level for fines for the various types of breach of the GDPR.
In its 2018 annual report, the Danish DPA announced it had received 2,780 notifications of data breaches. Approximately 900 of these cases had been closed, approximately 700 cases were pending and approximately 600 cases were being re-evaluated due to the number of notifications of data breaches involving certain data controllers. 55 cases have been deemed so serious that they have been subject to fast track processing. The Danish DPA further stated that the remaining cases were being classified to ensure uniform processing. Some of the cases that were closed resulted in orders to the data controller.
There are still a number of cases pending. In a few cases on this issue where we have assisted clients, the Danish DPA has confirmed, however, that our client would not be reported to the police even though the case was still pending.
So far, a Danish therapy portal has been reported to the police by the Danish DPA after one user was able to access confidential and private correspondence between other users and their therapists.
Further, the Danish DPA has referred a case to the Danish Prosecution Service for the purpose of the Danish courts prosecuting the company in question. Following an inspection visit at a Danish taxi company, the Danish DPA found that the taxi company had stored personal data (mainly phone numbers) from approximately 9 million taxi rides without a legitimate reason.
The Danish DPA has suggested a fine of DKK 1.2 million (approximately EUR 161,000) be imposed on the taxi company, so even though no GDPR fines have been issued in Denmark yet, we still believe that we will experience a significant increase in the level of sanctions as predicted when the GDPR came into force.
We have not yet seen any final decisions in cases concerning processing of employee data or other labour market-related issues. We do, however, see a significant increase in the awareness from employees and trade unions on employees’ rights with regard to personal data. By way of example, we have assisted a number of clients in handling requests on the right of access to personal data from (former) employees.
Søren Skjerbek, Norrbom Vinding
Finland
In Finland, the GDPR is supplemented with a new Data Protection Act that entered into force on 1 January 2019. The Finnish Data Protection Ombudsman officially became a supervisory authority with the adoption of this new Act. Due to the Act’s late entry into force, the Finnish supervisory authority has, however, had rather limited scope to exercise its powers under the GDPR.
The number of new cases brought increased significantly after the GDPR became applicable in May 2018. The Data Protection Ombudsman has received almost three times more complaints and notifications last year compared to the previous years. One third are data breach notifications. Due to the delay with implementing the new Act and lack of resources, only some of these cases have led to further action by the supervisory authority.
The new Act enables the supervisory authority, together with other members of the new collegial body introduced by the Act, to impose fines. This collegial body consists of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen. These Deputies were appointed by the Finnish government as late as 1 May this year, explaining why no fines has yet been imposed in Finland. Furthermore, the Data Protection Ombudsman has emphasised in his public appearances that corrective measures other than fines can often be a more effective response to failures to comply with data protection legislation. In addition, the Data Protection Ombudsman has underlined the importance of harmonisation when interpreting and applying the GDPR in the EU, meaning that the future practice of the European Data Protection Board is expected to significantly impact on the Data Protection Ombudsman’s actions.
Finnish legislation has been revised in the light of the GDPR. In addition to the new Data Protection Act, the GDPR is supplemented with the Act on the Protection of Privacy in Working Life, which has recently been amended. The amendments to this Act were minor and mainly technical: the strict protection of employee privacy and more detailed national rules remain central in Finland even in the GDPR era. The Act maintains national requirements and restrictions in matters such as background checks on job applicants, drug testing, employee monitoring, accessing employee emails, retention of employee health data, and on cooperation procedures necessary when implementing new data protection practices. Furthermore, the employer is, in principle, entitled to collect employee’s personal data only from that employee him or herself. Collection of data from other sources requires an explicit legal basis or the employee’s consent. In practice, this recently enforced interpretation has made implementation of whistleblowing systems in Finland more complicated than in other jurisdictions.
Jukka Lång, and Anni-Maria Taka, Dittmar & Indrenius
France
The French Data Protection Authority (‘CNIL’) imposed a huge GDPR fine on Google LLC (EUR 50 million) on 21 January 2019, based on a lack of information and transparency for users. It took into account the large volume of data and number of individuals involved in this violation of privacy.
In general, the CNIL has not yet imposed fines as vigorously and as widely as many people feared: it started first and foremost by providing information, guidelines, e-learning training and various tools about the GDPR on its website. Also, smaller companies are being treated with more leniency.
Nevertheless, the CNIL has already imposed fines on Bouygues Telecom (EUR 250,000), Uber (EUR 400.000), Dailymotion (EUR 50.000) and Optical Center (EUR 250.000), all relating to a lack of technical measures securing client data.
Complaints to the CNIL have increased by 32.5% compared with 2017 and relate to requests to erase data on the Internet, but also complaints regarding inadequate security for personal data in the marketing and business, human resources, banking and health and social services sectors.
Despite its aim of ending the fragmentation of rules within the EU, the GDPR still allows the possibility for each EU member state to set its own, or further, rules on a number of subjects. France decided to implement the GDPR by staying as close as possible to the text of the GDPR and by updating its current data protection legislation, which dates back as far as 1978. A law dated 20 June 2018 and an order (‘ordonnance’) dated 12. December 2018 integrated some European provisions on criminal data into French legislation.
The GDPR is slowly gaining attention in labour law but it is too early to cite case law relating to privacy issues covered by the GDPR in the context of employment.
Nevertheless, issues around data protection arise more and more frequently in organisations, for example, data subject access requests. Some employees ask for a copy of their personal data, as a possible preliminary to litigation, notably in cases of termination of employment. Unions and staff representatives are more aware of the issues and question employers regarding the implementation of the GDPR.
Some IT and HR departments have already been confronted with breaches in the security system for personal data, which have forced them to communicate swiftly with the CNIL and with potentially affected employees.
Multinational companies with French subsidiaries have also had to re-think the volume and the level of detail of (local) personal data that they ask to be transferred to their headquarters, especially outside the European Union.
Anne-Laure Périès, Capstan
Germany
According to a recently published article, the German DPAs have issued 75 fines since the GDPR was implemented, based on the authorities’ answers to this research. The total amount of all fines imposed, based on these answers, was only EUR 449,000, the largest single fine being EUR 80,000. By way of background information, in Germany, the DPAs are organised on a German state level. Not all 16 Authorities had responded to the questions during this research.
The German legislator has passed a set of national implementation rules that was implemented as the same time as the GDPR. This German statute (‘Bundesdatenschutzgesetz’) includes a specific rule on the processing of employee data, which is for the most part based on previous German data protection legislation.
The GDPR received a huge amount of attention in Germany, especially around the time of implementation before and after May 2018. This included interest in the impact of the GDPR in employment relationships. Now that ‘GDPR preparation’ has been completed by most employers, an increasing number of new practical issues are emerging, such as how to handle data subject access requests (DSARs) or how to manage a very detailed list of data retention or deletion periods.
Regarding DSARs, a recent lower court verdict against German car manufacturer Daimler has received a lot of attention in the employment law community. The action is now pending before the highest German Labour Court, Bundesarbeitsgericht. In proceedings relating to a termination, the plaintiff, a lawyer himself, demanded to be provided with information about all data collated about his performance and behaviour and about the origin of this data. While DSARs are generally granted by the GDPR, the parties are now debating to what extent DSARs are limited by third party rights such as the privacy of other employees included in correspondence, and to what extent DSARs are limited by practical considerations, to avoid an obligation to provide bottomless amounts of information.
Jessica Jacobi, KLIEMT.Arbeitsrecht
Greece
So far, the Greek Data Protection Authority (HDPA) has mainly opted to raise awareness, providing information, guidelines and consultations and taking on an important role as an interpreter of data protection law provisions. It has, however, also taken some significant enforcement measures. It has imposed EUR 150,000 fines on mobile phone operators for making unsolicited calls, a EUR 30,000 fine on a group of companies in the petroleum industry for unlawful processing and failure to comply with the required organizational and technical measures, among others.
Some other notable decisions include its ruling that Uber is an information society service, falling within the scope of GDPR and its decision regarding the right to erasure, forcing Google to comply with data subjects’ requests, which the company had initially rejected, as well as imposing fines for breaching surveillance provisions.
In total, the HDPA has handled 66 data breach notifications in the first six months following implementation of the GDPR.
National legislation to implement the GDPR is still pending. The relevant bill was open to consultation and is expected to be finalised in the coming months.
GDPR is gaining attention in several law areas including labour law. Meanwhile HDPA activity has increased. The organisation chart has been updated to align with the post-GDPR era and controllers are currently being recruited, leading potentially to an increase of monitoring and enforcement measures. Recently, the HDPA published a list of the kind of processing operations subject to the requirement for a data protection impact assessment pursuant to Article 35(4) of the GDPR.
Greek courts have already dealt with a number of GDPR-related issues, such as notification requirements for the transfer of personal data to be used within the framework of employment litigation, compensation for unlawful transfer of personal data, valid consent issues and surveillance of employees.
Dimitrios Kremalis, Kremalis Law Firm
Hungary
Several companies involved in Hungarian Data Protection Authority (NAIH) procedures have been fined. The usual amount of the fine is between HUF 500,000 and HUF 1 million, (approximately EUR 1500 and EUR 3000).
In one of its most relevant recent decisions, the NAIH imposed a fine of HUF 1 million on a company with a turnover of HUF 15 million, which it considered a symbolic amount, for not restricting and issuing copies of camera recordings, despite a request from a data subject. The data subject wanted to use the recordings as evidence in legal proceedings, as stated in the request. The company justified its decision on several grounds, including the fact that the data subject did not indicate how deleting the recording would infringe his or her legitimate interest, and in connection with what legal proceedings he or she made the request (although required to do so under Hungarian law).
According to NAIH, the company violated the data subject’s right to restrict data processing. Under Article 18 (1) (c) of the GDPR, it is sufficient for the data subject to argue that restricting processing is necessary for the submission and enforcement of legal claims. There is no need to justify the right and the legitimate interest further than that. The conflicting Hungarian legal provision has been amended by the GDPR implementation law mentioned below.
In addition, the company failed to inform the data subject about the reasons for its decision and the legal remedies available to the data subject.
In imposing the fine, the authority assessed the nature of the infringement as an aggravating circumstance, as it violated the applicant’s rights. The refusal of the request also led to the deletion of the recordings, which cannot be restored. It was a mitigating circumstance that the company committed the infringement for the first time, and also that the conflicting national legal provision. was still in force, which could have misled the company in its decision to deny the data subject’s request.
Hungary has implemented the GDPR without significant changes. The implementation act came into force on 26 April 2019. The aim of the amendments is the harmonisation of sectoral laws in order to apply the GDPR. The GDPR implementation act amends 86 acts to comply with the GDPR, including the Labour Code. As a result, employees’ documents, the processing of the criminal records and the agreements relating to the use of work-related IT equipment must be reviewed.
Experience has shown that the NAIH is active; several proceedings have been initiated checking the data processing practices of operators and assessing compliance.
Nóra Óváry-Papp, CLV Partners
Ireland
GDPR was implemented in Ireland through the Data Protection Act 2018. The Irish Data Protection Commission (DPC) has taken a proactive approach in respect of its various functions and including running a number of awareness campaigns in the lead up to May 25 2018. The DPC has opened inquiries into data-processing activities of Facebook, Apple, Twitter, LinkedIn, WhatsApp, Google and Instagram into issues such as large-scale data breaches, legal bases for processing and transparent presentation to users. It has not issued any fines under GDPR to date but that is not expected to remain the position indefinitely.
Between 25 May and 31 December 2018, the DPC received 3,687 data-breach notifications, of which 3,542 cases (96%) were classified as valid data protection breaches: an increase of 27% compared with the number of breaches reported in 2017. The largest number of breaches (85%) were because of unauthorised disclosure.
In January 2019, the DPC launched a large-scale public consultation on the Processing of Children’s Personal Data and the Rights of Children as Data Subjects under the GDPR. The DPC intends to use the responses to produce guidance materials for children and young people, and for organisations that process personal data of children and young people.
The DPC’s budget has increased significantly in recent years and the number of staff is due to increase further this year to meet the increased workloads.
Linda Hynes, Lewis Silkin Ireland
Italy
At the moment we have no news regarding fines issued by the Italian DPA (‘Garante Privacy’) based on the GDPR. Debate was wide-ranging over the past year and the DPA issued guidelines and information; however, there have been few investigations or actual breach procedures. This is due to a number of factors. By way of example we can list:
- the need to reorganise the structure and procedures of the DPA;
- the Italian legislator’s request for a ‘first application’ period of the GDPR to be observed (eight months following the amendment of Italian Privacy Code, published in August 2018);
- follow up activity performed by the DPA after the law was passed to make sure all the regulations and indications were in line with the legal position.
The legislator decided not to repeal the previously applicable privacy legislation (Legislative Decree no. 196/2003, the so-called ‘Privacy Code’) and rules but to amend them and make them compliant with the GDPR to create a new legal framework. Decree no. 101 August 10 2018 modified the Privacy Code and required a series of actions from the Italian DPA (e.g. the amendment of the previous general authorisations or the introduction of specific codes of conduct and guidelines).
The current initial situation of legal review is expected to change in the near future: the period of ‘first application’ of the GDPR recently ended and it is possible that the DPA will begin new initiatives, including inspections. In addition, two relevant regulations regarding the Italian DPA were recently published and came into force: these regulations give the DPA itself a new structure and define new administrative procedures to be observed, related deadlines and areas of expertise. The system may now be ready for the next step.
Paola Pucci, Toffoletto De Luca Tamajo e Soci
Latvia
The Latvian DPA did not impose many penalties during the first year of GDPR application. The biggest publicly announced penalty was only EUR 2000, which is even smaller than the penalties imposed before the GDPR started to apply a year ago. There are several reasons for this: the DPA announced that in the first year it would be devoted to consulting to ensure appropriate implementation of the GDPR. The DPA was also overloaded due to a record number of complaints. Additionally, historically, the activity of the DPA regarding penalties has been variable: if one year has been productive in terms of penalties, the next has usually been less active.
Data controllers also started reporting personal data breaches but many of these cases did not qualify to be reported under the GDPR. Thus, many controllers choose an overly cautious reporting strategy.
Latvia has adopted a local ‘Personal Data Processing Law’. The Law does not repeat the provisions of the GDPR; instead it sets out provisions regarding the DPA, data protection officers, certification mechanisms, exceptions for data subjects’ rights as well as some specific personal data processing cases (such as children’s person data, video surveillance and logs). Still many data protection provisions can be found in other legislation related to other specific areas of law (such and litigation, patients’ rights, accounting, tax and many others).
There are several trends related to implementation of the GDPR. The most widespread one relates to dealing with the data subjects’ requests: while ensuring access rights is a good test for reviewing a controller’s data processing activities, the ‘right to be forgotten’ can be a reason for a further litigation. Moreover, companies have started paying more attention to security measures tailored specifically for personal data. Finally, GDPR-related questions have become an important part of M&A deals.
Anna Vladimirova-Krjukova, COBALT
Lithuania
On 16 May 2019, the first fine for a breach of the GDPR imposed by the Lithuanian State Data Protection Inspectorate was announced. A fine of EUR 61,500 was imposed on the electronic money institution MisterTango. The investigation proved that the company had breached three GDPR articles: the data minimisation principle, lack of security measures and failure to inform the DPA about a data security incident.
The company denies the alleged violations, specifically the failure to notify the DPA, stating that the obligation to notify was not breached, as the personal data incident was unlikely to result in risk to the rights and freedoms of individuals. It was reported that the data incident lasted two days, during which approximately 50 clients’ data was freely accessible from outside the company. However, according to the company no actual data leakage occurred. Nevertheless the DPA decided that it should have been notified. The company intends to appeal the decision to the national courts.
On 16 July 2018 the Law on Legal Protection of Personal Data was adopted. This law provides some basic rules for the use of individuals’ personal codes (national ID numbers) and for processing employee personal data. For example, it provides that it is forbidden to process candidate’s criminal record unless specifically prescribed by laws. In addition, the Lithuanian DPA has adopted an order specifying the data processing operations that require a privacy impact assessment. They include, for example, cases when telephone conversations are recorded, CCTV monitoring of public spaces occurs and when children’s data is processed for direct marketing purposes.
The GDPR is getting a lot of attention in the Lithuanian media, especially the interest can be observed among the business communities in the larger Lithuanian cities. In comparison, GDPR compliance in smaller towns as well as state and governmental institutions is still not adequate. Nevertheless, the Lithuanian DPA is quite active and supportive. In January a list of planned inspections was made public announcing the names of 75 organisations that will face GDPR compliance inspections in 2019. After the investigations are completed, DPA usually provides its recommendations regarding the most common compliance failures.
Renata Vasiliauskienė, COBALT
Luxembourg
In Luxembourg, the GDPR was implemented by the Law of 1 August 2018 on the organisation of Luxembourg’s National Commission for Data Protection (‘Commission Nationale pour la Protection des Données’, CNPD) and the general system for protecting data (the ‘Law’). The Law came into force on 20 August 2018.
The Law modifies article L. 261-1 of the Labour Code concerning the monitoring of employees by the employer.
The main changes are set out below.
An employer can process personal data to monitor employees (if it is the responsible party) in the circumstances described in Article 6(1) of the GDPR. This extends the scope of such processing: the old legislation only allowed employers to use a monitoring system in the workplace in five limited circumstances, listed in the Labour Code. The employer also no longer has to secure the prior authorisation of the CNPD.
The employer is still obliged to inform the person in question, as well as the staff delegation or, failing that, the Inspectorate of Labour and Mines in advance of any processing of personal data to monitor employees’ activities.
The Law now specifies what this prior notice should include: a detailed description of the purpose of the planned processing, the process for implementing the monitoring system and, if applicable, the duration and criteria for storing the data as well as a formal commitment by the employer not to use the data collected for any purpose other than the one specifically defined in the notice.
When the employer plans to process data in order to monitor employees, the staff delegation, or failing this the employees concerned, can submit a request for an advance compliance opinion to the CNPD within 15 days of receipt of the notice. The CNPD will have to provide its opinion within a month of the request. The request for an advance compliance opinion has a suspensive effect, meaning the planned monitoring cannot be implemented until the CNPD has given its opinion.
Data processing for monitoring for employee health and safety reasons purposes, for temporarily monitoring the employee’s production or services when this is the only way to determine an exact salary, or for organising work on a flexitime basis is still subject to the co-decision system in accordance with the Labour Code, unless the processing is to fulfil a legal or regulatory obligation.
Since the GDPR and the Law entered into force, the CNPD has received many notifications of data breaches, however no major fines have been imposed yet.
Noémie Haller, Castegnaro
Netherlands
The Dutch Data Protection Authority has not yet imposed GDPR fines as vigorously as many people feared: it started first and foremost by providing information, guidelines and tools about the GDPR on the website.
Only one fine has been imposed: Uber was fined EUR 600,000 for breaching the reporting obligation for data breaches. This data breach took place at the Uber Group in 2016 (since 2016 there was already an obligation to report data breaches in the Netherlands, but with much lower penalties): unauthorised individuals were given access to customers’ and drivers’ personal data (names, email addresses and phone numbers). The Uber group was fined because it did not inform the DPA and the data subjects involved within 72 hours following the discovery of the data breach.
Despite its aim of ending the fragmentation of rules within the EU, the GDPR still allows the possibility for each EU member state to set its own, or further, rules on a number of subjects. The Netherlands decided to implement the GDPR in a ‘policy-neutral’ manner, meaning the Dutch implementation act (‘Uitvoeringswet AVG’) stays as close as possible to the text of the GDPR. More specifically, the Dutch implementation act has not made use of the possibility to introduce separate rules for processing of employees’ personal data. The implementation act applied from 25 May 2018.
The GDPR is slowly gaining attention in labour law. Dutch case law has seen examples in the past year of issues relating, for example, to data subject access requests or privacy claims after negative references from a former employer. The question of the admissibility of evidence obtained in breach of an employee’s privacy has also been examined: based on Dutch case law, even if it is established that evidence used, for example, in a dismissal case was obtained unlawfully by the party relying on it, the court is not generally required to disregard it. The general social interest in the truth coming to light plus the parties’ interest in being able to support their case, outweigh the arguments for excluding such evidence unless additional circumstances indicate otherwise.
Philip Nabben, Bronsgeest Deur
Poland
The Polish DPA has imposed two GDPR fines so far. The first, of PLN 943,000 (approximately EUR 218,803), was imposed on an entity that processed the data of 6 million data subjects, but only 90,000 of them were informed about it. The second fine was imposed (only a few days ago) on a sports association for failing to delete judges’ data effectively. A penalty of PLN 55,000 (approximately EUR 12,762) was imposed.
Last year was also unique in terms of number of reported complaints and breach notifications. According to figures gathered by the Panoptykon Foundation, from 25 May 2018 to 28 February 2019, 5651 complaints were filed in Poland. Additionally, 3189 data breach notifications have been submitted to the DPA.
Although the main result of entry into force of GDPR was the introduction of a completely new Act on the protection of personal data in Poland, amendments to the Polish Labour Code introduced even more significant changes in the field of the employment market and practice. Firstly, specific provisions regarding monitoring in workplace are now in force and this monitoring is allowed only in certain situations. In addition, a list of employees’ and job candidates’ personal data which can be processed by employers has been established. There is a list of data that ‘must’ be requested by employers and provided by candidates and employees. Additionally, new provisions expressly allow employers to collect other personal data on the basis of the job candidates’ or employees’ consent. However, any special categories of data can only be processed based on consent if provided by the job candidate or employee at their own initiative. Employee biometric data processing is also possible if it is necessary to control access to particularly sensitive information, the disclosure of which may expose the employer to damage, or access to premises requiring special protection.
Recently GDPR-related issues have dominated the labour law market. The DPA has issued a handbook for employers with answers to frequently asked questions. One hot topic is undoubtedly the scope and retention of data collected during recruitment. And yet, the appropriate duration of retention is unclear, since the opinions of the DPA and Polish Ministry of Digital Affairs differ. Close scrutiny of practical developments will be essential in this field.
Lastly, video monitoring is expected to become one of the main issues in 2019. The DPA has announced that its activity will focus on this area. In parallel, these types of cases (related to the legality of video monitoring or the legal basis of employee data processing) are slowly starting to be reviewed by the courts.
Edyta Jagiełło, and Marta Zalewska, Raczkowski Paruch
Portugal
During the first year of GDPR enforcement, the Portuguese DPA imposed four fines as a consequence of data privacy breaches.
In 2018, a fine amounting to EUR 400,000 was issued as result of indiscriminate access from hospital staff to patients’ data and the data processor’s inability (hospital) to ensure the confidentiality, integrity and resilience of the system and processing services. The DPA considered that the hospital was severely at fault in its actions.
Minor fines were imposed during the course of 2019. A fine of EUR 20,000 was imposed on a call centre’s client (the data controller). The call centre did not provide a customer with records of phone calls after being requested by the latter to do so. The other fines of EUR 2.000,00 each were imposed as result of the lack of warning in cases of video surveillance.
Up to February 2019, more than 200 complaints were notified to the Portuguese DPA. Considering the number of complaints and the four fines already publicised, there is clear a lack of means and responsiveness from the Portuguese DPA (a fact that is also recognised by the Authority).
The Portuguese Government has not approved any national legislation aiming at adapting the GDPR. This delay is related to the negative opinion issued by the Portuguese DPA regarding the draft law that was published last year and subject to public consultation. We anticipate a national law will be approved in the coming months.
Data privacy concerns are common in employment relations and courts are slowly being asked to decide cases involving privacy issues. The GDPR focussed the attention of companies on privacy matters and after the initial stress of its entry into force the litigation environment is currently calm.
There is significant interest and anticipation regarding the proposed Portuguese national law on data protection and how the DPA will conduct its future inspection mission.
Bruno Barbosa, pbbr
Slovakia
Slovakia is still waiting for the first fine for failure to comply with the GDPR. Notwithstanding, the Slovak DPA is not afraid to impose fines of up to EUR 5,000 for refusal to cooperate during inspections to ‘motivate’ the organisations under inspection to provide the requested documents and information.
The reason for this is that the Slovak DPA is overloaded with thousands of complaints brought by the individuals, who in many cases are not even the data subjects, whose rights could have been violated. This means the inspections take months and data controllers are nervous of whether they are fully compliant or will be fined.
Despite the fact that the GDPR is effective EU-wide, Slovakia has adopted its own legislation, which came into force on the same day as the GDPR. The local law does not deviate from the official text of the GDPR, except the parts regulating the activities of the Slovak DPA. So far, the interpretations of the GDPR made by the local authority are in line with the guidelines issued by the European Data Protection Board.
Slovak employers were quite well prepared for the GDPR. HR departments took the opportunity to revise HR documentation to meet the GDPR requirements, and if necessary, to update it in other areas as well. One year later we note that most employers have implemented the GDPR, or have at least tried to. One positive observation is that after identifying any inconsistency with the GDPR, they are willing to fix it very fast.
The Slovak courts are also well prepared to apply the European case law when dealing with an employee privacy breach and monitoring employees´ work activities. Moreover, the Supreme Court has opined that such case law also applies to the privacy breaches that occurred prior to the relevant EU case law. This means employers are forced not only to keep up with recent EU case law but also to establish a careful balance between their right of control and employees’ privacy rights to avoid any future claims.
Danica Valentová, Nitschneider & Partners
Slovenia
Slovenia is one of the EU member states that has not yet completed the process of implementing the GDPR into national legislation. The legislative procedure for the adoption of the new Personal Data Protection Act is still ongoing. Only after its adoption will there be legislation listing violations and providing a basis for sanctions under the GDPR. The Information Commissioner as the competent authority for data protection in Slovenia does not currently have the power to impose administrative fines for violations of the GDPR. Consequently, the Information Commissioner can only impose monetary fines under the currently valid Personal Data Protection Act for matters not covered by the GDPR (e.g. biometrics, direct marketing, video surveillance, database linking etc.). Inspections initiated prior to GDPR with regard to matters that are now regulated by the GDPR had to be suspended until the new Personal Data Protection Act is adopted.
The latest proposal for the new Personal Data Protection Act was published on 6 March 2019 and is currently in the public consultation phase. The main concern is that the proposed new Act may overstep the margin of discretion foreseen in the GDPR in some aspects. Therefore, it is expected that the proposal will undergo further revisions, before being adopted by the National Assembly, probably in the second half of 2019.
Observations from the Information Commissioner show there has been a significant increase in requests for access by individuals to their personal data and requests for erasure of personal data. As follows from these observations, as a result of poor differentiation between legal bases for the processing of personal data under GDPR, many businesses prefer to ‘flood’ data subjects with consent requests rather than relying on another legal basis for processing. However, on the other hand, a number of DPO’s have been nominated (more than 2,100). The Information Commissioner also notes that data subjects are quite well acquainted with their rights deriving from the GDPR. As regards the impact on HR, practice shows that regulation was also rather strict before the GDPR and therefore no major changes have had to be implemented in this respect so far.
Darja Miklavčič and Jana Šteblaj, ŠELIH & PARTNERJI Law Firm
Spain
In its 2018 annual report, the Spanish DPA admitted that a radical change of mentality is absolutely necessary to achieve adequate implementation of GDPR. According to the Spanish DPA, this is a challenge not only for responsible individuals within organisations but also for the regulator, which has been forced to provide tools and guidelines to Data Protection Officers to facilitate GDPR compliance.
Some statistics from the first year: 34,000 data protection officers were appointed, almost 5,000 GDPR consultations were conducted and over 14,000 claims received. There have been almost 1,000 notifications of data breaches (a 30% increase).
This year has served to implement a change of culture in data handling by all players; for this reason the Spanish DPA has not yet imposed GDPR fines. However, there is a relevant case under the previous regulation from March 2018, regarding two severe infractions relating to personal data. A EUR 300,000 fine was imposed on WhatsApp (for communicating data to Facebook without valid consent) and Facebook (for using it for a purpose for which consent was not given).
The Organic Law 3/2018 of 5 December, on ‘Personal Data Protection and guarantee of Digital Rights’ gave rise to new articles in the Statutory Law (‘Workers´ Statute’), namely:
- right to privacy regarding use of electronic devices within employment relationships.
- right to privacy regarding video surveillance and sound recording in the workplace;
- right of privacy regarding the use of GPS tracking within employment relationships;
- Employees’ right to digitally disconnect.
These new rights radically overhaul the way personal data is used and treated by employers, meaning internal policies must be drafted and followed to comply with them.
Individuals and therefore, employees are more concerned about their data and a wide range of cases have reached the courts. The proportionality principle is key when considering the legal validity of each practice.
GPS tracking installed and monitored in employees´ electronic devices is not allowed unless it is deemed adequate and necessary for a legitimate business goal, is not against any collectively agreed regulation and only after providing sufficient information on the measures to employees and their representatives, or after consulting or bargaining with them when required.
A clause in the employment contract by call centre employees consented to monitoring by webcams is valid since it was foreseen in the relevant Collective Bargaining Agreement and the employees knew about it when they were hired.
Lastly, the court disregarded evidence obtained in a breach of employees’ privacy. Two employees started a fight in the work parking area and were recorded by CCTV. Employees had not been informed of this video surveillance or its potential disciplinary use.
José Miguel Mestre Vázquez, Sagardoy Abogados
Sweden
The Swedish DPA has not yet imposed any fines. However, the DPA has provided information about ongoing investigations and the following are of interest:
- Google’s access to the user location data by means of its so-called ‘Location History’ and ‘Web & App Activity’;
- how Klarna, a company that offers transfer of payments services, uses customers’ personal data; and
- a school using facial recognition to register attendance.
An incident has also been reported in media regarding a service providing medical advice to individuals by phone, called 1177. According to media reports, a million calls were publicly available on a web server. The DPA is currently investigating the companies providing this service.
Sweden decided to implement a law that complements the GDPR from the same date as the GDPR came into force. Since the purpose of the law is to compliment GDPR, it is not comprehensive. There is no separate legislation regarding processing of employees’ personal data.
The Swedish DPA has just published an integrity report including frequently asked questions from citizens and organisations. Questions concerning the lawfulness of employers’ processing of personal data are frequently asked, according to the report. The DPA has also, in its enforcement scheme, stated that employers’ monitoring of employees is one of the tasks prioritised for 2019-2020.
Sofia Lysén, Elmzell law firm
United Kingdom
The UK’s Information Commissioner’s Office (ICO) is yet to impose a fine under the GDPR, though we understand that a fine is imminent. The most notable fine since 25 May 2018 was a fine of GBP 500,000 against Facebook (the maximum penalty under the Data Protection Act 1998).
In April 2019 the Home Office accidentally shared the email addresses of hundreds of EU citizens applying to stay in the UK after Brexit. The ICO were alerted to this incident and have said they will make an assessment, but no decision has yet been released.
Although no fines have yet been issued under the GDPR, the ICO have issued ten enforcement notices under the DPA 2018 and GDPR.
On 23 May 2018 the Data Protection Act 2018 became UK law, implementing the EU’s General Data Protection Regulation (GDPR). Some UK specific rules have been adopted, for example the ability for UK companies to process diversity data for the purposes of diversity monitoring without the consent of the data subject, and the criminal offence of deliberately failing to provide data to a data subject who has submitted a data subject access request.
The GDPR will be enacted in UK law after Brexit under section 3 of the European Union (Withdrawal) Act 2018.
Similar to other European countries, the UK has seen a rise in the number of data subject access requests submitted to data controllers, and also the number of data breaches reported to the ICO. The most commonly reported breach is a misaddressed email, rather than those breaches people typically imagine, for example systems being hacked.
Also, it is now customary to receive a data subject access request in conjunction with a grievance and a tribunal claim. Data subject access requests are used a tool for disclosure, but also as a tool to attempt to leverage more favourable terms from employers.
Steven Lorber, and Sean Illing, Lewis Silkin
Belgium + Comments from other countries – Seven months post GDPR: What about fines?
Since the GDPR came into force in May 2018, all European data protection authorities have the power to issue fines for breaches of data privacy and non-compliance. But have they used them? This article explores the first seven months of GDPR enforcement.
The introduction of the General Data Protection Regulation was one of the most hotly anticipated developments the business and legal world has ever seen. One of the main reasons why businesses spend resources on becoming GDPR compliant is the huge fines that can be imposed by the national regulators, known as Data Protection Authorities (DPAs) for not respecting their obligations under the GDPR. Now that the GDPR has been in force for several months, it is interesting to review what has happened with enforcement in practice so far.
Equal powers for DPAs
Before the entry into force of the GDPR, all European countries had a Data Protection Authority (DPA), but there were few countries where the DPA was also able to fine companies that were not compliant with the data protection rules. This led to a huge difference in compliance levels from one country to another, because let’s be honest: the risk of getting fined is an important consideration in choosing whether and how heavily to invest in compliance projects. The GDPR has changed this by granting all EU DPAs the same level of investigatory and corrective powers.
Administrative fines
One of the most far-reaching things a DPA can do since the GDPR, irrespective of the country in which it is located, is to impose administrative fines.
For a number of infringements, the fines can amount to EUR 10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover for the preceding financial year (whichever is higher), for example when:
- the company did not keep a record of processing activities;
- no processor agreement has been entered into; or
- no data protection officer has been assigned when the organisation should have appointed one.
However, the majority of infringements of the GDPR can be punished with a fine of up to EUR 20 million or, in the case of an undertaking, of up to 4% of the total worldwide annual turnover for the preceding financial year (whichever is higher). This will apply, for example, when:
- the organisation did not respect the basic principles or does not have a legal basis for processing;
- the data subjects’ rights are not guaranteed; or
- transfers of personal data to a third country are not protected.
The GDPR states that these fines must be ‘effective, proportionate and dissuasive’. When assessing whether a fine should be imposed and when determining the amount, DPAs will have to take into account a range of mitigating and aggravating circumstances, such as the nature, the gravity and the duration of the infringement, the intentional or negligent character of the infringement, the nature of the personal data (whether or not it is sensitive), previous infringements by the company and so on.
By granting the DPAs the power to impose these heavy penalties, the European legislator aims to strengthen national ‘watchdogs’ to ensure compliance with the GDPR. The purpose of these heavy penalties is therefore clear: pushing GDPR compliance high up on the agenda of all organisations doing business in Europe, wherever they are headquartered.
Have DPAs already imposed fines?
More than a half a year since GDPR implementation, there has not been a deluge administrative fines all over Europe.
In Belgium, for instance, the DPA has taken the time to inform the public of the consequences of the GDPR by updating its website. It has confirmed that in the first half year of GDPR application, not a single fine has been issued, although it does note that some investigations are already ongoing.
In other countries, the DPA has already set an example by issuing a fine. The Austrian DPA imposed the first-known fine under the GDPR of EUR 4,800 for illegal video surveillance activities. Next came the Portuguese authority, which imposed a fine of EUR 400,000 on a hospital after a staff member illicitly accessed patient data. In France, the first fines were also issued under the GDPR: an employer who used a biometric system to monitor employees’ working time and failed to inform them got a fine of EUR 30,000. The most recent case was one of the regional German DPAs, which issued a fine of EUR 20,000 to a social media company which violated its data security obligations. In this case, the German regulator explained the relatively low fine by referring to the company’s exemplary cooperation with the authority after it discovered the hack and the huge investments the company made in strengthening its information security measures.
On the evidence to date, it seems that DPAs are not competing to issue the highest possible fines, but are striving to improve data protection and data security as much as possible.
Employer’s bottom line
Without a doubt, more fines are on the way. In the Ius Laboris Alliance, our specialised lawyers are ready to assist organisations not only in ensuring they are GDPR compliant to avoid fines, but also when they are confronted with investigations by, or discussions with, DPAs.
The view from other places
Ius Laboris Russia December 20, 2018 at 08:37
GDPR does not directly apply to data processing in Russia and the Russian DPA is not authorised to impose fines for GDPR breaches. However, Russia has recently joined the amended Convention of European Counsel on the protection of individuals in the course of automated processing of personal data. This means that Russian legislation will be brought in line with the new requirements of the Convention. According to the Russian DPA, this is aimed in particular at harmonisation of Russian legislation with EU legislation, which includes the GDPR. The Russian DPA has already confirmed that the changes will relate to implementation of the GDPR data subjects’ rights and data breach notifications into Russian legislation. – Anastasia Petrova
Ius Laboris France December 20, 2018 at 08:38
In France, the first fines have been issued under the GDPR: the DPA issued a fine of EUR 10,000 for failure to ensure the security of data processing and a fine of EUR 30,000 for illegal use of a biometric system to monitor employee working time and failure to inform employees of data processing. – Guillaume Bordier & Basile Moore – Capstan
Ius Laboris Denmark December 20, 2018 at 08:40
To our knowledge, no GDPR fines have yet been issued in Denmark. The Danish DPA has stated that it will not issue any administrative fines before having tried some cases in the courts to establish a level for the fines. The first cases are said to be being handed over to the police during the autumn: it is then up to the police to bring the cases to court. – Elsebeth Aaes-Jorgensen – Norrbom Vinding
Ius Laboris Czech Republic December 20, 2018 at 08:41
In the Czech Republic the DPA (The Office for Personal Data Protection) was also able to fine companies for failure to comply with data protection legislation prior to the application of the GDPR. According to the publicly available information and consultation with the DPA, there has not yet been any fine issued solely based on the GDPR. However, some inspections in order to check compliance with the GDPR have already occurred.
Nevertheless, the DPA has issued an opinion that between entry into force of the GDPR and adoption of forthcoming national legislation to implement it (this has not yet been adopted and is currently in the legislative procedure in the Senate), the DPA is focussing especially on raising controllers’ awareness of the data protection duties and not primarily on punishing small controllers for minor and negligent misconduct.
Under the old rules, the highest fine which was imposed amounted to EUR 15,000. – Irena Lišková – Randl Partners
Ius Laboris Italy December 20, 2018 at 08:42
According to the Italian DPA’s investigative activities agenda, the second part of 2018 has been focused on companies and organisations managing databases of significant dimensions, banks and telemarketing companies. There is no information available on the amount of fines issued by the Italian DPA in this period but it is known that the highest fines issued so far are connected to violations committed before May 25 2018 (TLC sector).
The above could be due to the fact that a few months after the GDPR becoming effective, the Italian Parliament passed a Decree in order to make the Italian Privacy Code compliant with the GDPR. The Decree stated that, in applying the sanctions and for the first eight months (i.e. from 19 September 2018) the Italian DPA should take into account that it is still in ‘the phase of first application of the sanctions’. – Paola Pucci – Toffoletto De Luca Tamajo e Soci
Ius Laboris Portugal December 20, 2018 at 08:44
Two fines were imposed (EUR 30,000.00 and EUR 100,000.00) as result of hospital staff accessing patient data indiscriminately and the data processor (the hospital) being unable to ensure the confidentiality, integrity and resilience of the system and processing services. The DPA considered that the hospital was severely at fault. The hospital announced that it will appeal the decision in court due to lack of legitimacy of the DPA to impose GDPR-related fines. – Bruno Barbosa – PBBR
Ius Laboris Israel December 20, 2018 at 08:45
Israel is not part of the EU, therefore the GDPR was not adopted into local privacy legislation. Nevertheless, the Israeli Privacy Law sets out administrative fines which can be imposed by the Israeli Protection of Privacy Authority (PPA) for certain breaches of the Privacy Law (e.g. non-registration of a database, the failure to provide privacy notices to data subjects, breach of the obligation to provide access and review rights to data subjects, etc.).
Currently, the amounts of fines that can be imposed are very low (approximately NIS 10,000 or NIS 25,000 for corporate entities). There is a draft bill that aims to increase the PPA’s administrative powers, including the amount of fines that the PPA can impose for violations of the Privacy Law (up to NIS 3.2 million, depending on the sensitivity of the personal data and the number of affected data subjects involved). However, it is currently unclear if and when such draft bill will come into force. – Ohad Elkeslassy – Herzog Fox & Neeman
Ius Laboris Hungary December 20, 2018 at 08:47
The Hungarian Data Protection Authority (HDPA) has initiated 1063 proceedings in relation to data protection issues and found several infringements since the GDPR became applicable until the end of October. After 26 July, the HDPA initiated 28 data protection procedures applying the GDPR: the amendment of the Hungarian Data Protection Act entered into force on 30 June.
According to information given by Attila Péterfalvi, the president of HDPA, a majority of data protection procedures have not yet reached a stage of the proceedings when decisions will be made, so fines have not been imposed. On the basis of the authority’s experience, typical infringements remain unchanged since the GDPR entered into force: the largest number of complaints submitted relate to video surveillance, monitoring of employees in the workplace and winding-up institutions’, banks’ and online shops’ processing of personal data. – Dr. Nóra Óváry-Papp – CLV Partners
Ius Laboris Netherlands December 20, 2018 at 08:49
The Dutch Data Protection Authority (DDPA) has not issued any fines based on the GDPR yet. However, the DDPA did recently (November 2018) impose a fine on based on the previous privacy legislation. The EUR 600.000 fine was imposed on Über under the Act on Notification of Data Breaches (Wet Meldplicht Datalekken) as a result of a breach in 2016 and the failure to notify this breach to the DDPA within 72 hours. This Act (including the power for the DDPA to impose fines) came into force in the Netherlands in 2016. The obligation to notify data breaches under the GDPR is very similar to the obligation in the Act. – Ilse Baijens – Bronsgeest Deur Advocaten
Ius Laboris Mexico December 20, 2018 at 08:50
The Mexican DPA (’NAI’) has been active in imposing fines for infringements of the data protection law. Fines have often been hefty, as these may be of up to MXN 25.000.000 (or EUR 1.098.000). If sensitive personal data is involved, fines may double. This also applies in cases of recidivism. The NAI imposes approximately 65- 85 fines per year. – Teresa Espinosa – Basham, Ringe y Correa, S.C.
Ius Laboris Germany December 20, 2018 at 08:51
The example described above is indeed the first published case of a fine being handed out in Germany. Many would have expected one of the larger companies, potentially one of the data-hungry Internet companies such as Facebook, to be the first victim. Instead, it was social network Knuddels, a smaller network aimed mostly at teenagers, with an annual turnover of EUR 1.7 million in 2016 according to online sources. During a hack in July 2018, data from about 330,000 users (including email addresses and passwords) became known because they were not protected against hacking by means such as encryption. When the network became aware of the hack, they filed a data breach report to the authority on 8 September 2018.
As stated above, the Data Protection Authority took into account that the network proactively reported the breach, and were very transparent during the process. They also made investments in their data security very swiftly and are planning further improvements over the coming weeks. – Jessica Jacobi – KLIEMT.Arbeitsrecht
Ius Laboris Austria December 20, 2018 at 08:52
Since the entry into force of the GDPR in Austria, more than 60 official investigations have been initiated and more than 110 administrative criminal proceedings are currently pending. So far, fines on the basis of the GDPR and the national legislation implementing it have been imposed in four cases. All four decisions concerned illegal video surveillance and the imposed fines varied from EUR 300 to EUR 4800. The highest penalty so far was imposed on a betting shop operator, who had not sufficiently marked his video surveillance system and taped an unnecessarily extensive part of the pavement in front of the shop. The Austrian data protection authority stated that in this case a higher penalty would have been disproportionate.
According to the Austrian Data Protection Act, the implementation of the GDPR regulations must be proportionate and therefore an initial infringement will only lead to a warning and not to immediate sanctions. It is not clear from the information available if in the four cases mentioned a previous warning has been given or if the fines were imposed based on the extensive public surveillance, which was already forbidden before the GDPR regulations came into force. – Birgit Vogt-Majarek – Schima Mayer Starlinger Rechtsanwälte
France + Comments from other countries – Unprecedented EUR 50 million fine imposed on Google for data protection violations
On 21 January 2019, the French Data Protection Authority (the ‘CNIL’) fined Google EUR 50 million for lack of transparency, inadequate information and failure to obtain valid consent for ad personalisation in violation of the GDPR.
The violations of the GDPR noted by the CNIL
Violation of the transparency and information obligations
The fine followed an investigation carried out by the CNIL, as a result of a joint complaint filed by the non-profit organisations None of Your Business (NOYB) and La Quadrature du Net (LQDN) in May 2018.
The joint complaint alleged that Google did not clearly state which processing operations relate to each ‘legal basis’ relied on under the GDPR (e.g. performance of a contract to which the data subject is party, compliance with a legal obligation to which the controller is subject, data subject’s consent, etc.), and simply listed four bases for lawful processing.
The CNIL observed that the information on the data processing activities provided to users was neither easily accessible to users nor always clear or comprehensive. Essential information required to sufficiently inform data subjects of storage purposes, periods or categories of personal data used for ads personalisation was spread across various documents, with a several clicks required to access the full information.
The CNIL also observed that in light of the number of processing operations carried out by Google (approximately 20), the description of the purposes of processing were too generic and vague. It found that it was not clear to the user that Google was relying on data subjects’ consent rather than the legitimate interest of the company to process data for ad personalisation.
Violation of the obligation to have a legal basis for advert personalisation processing
Google relied on data subjects’ consent to process data for ad personalisation purposes. However, the joint complaint alleged that data subjects did not freely consent, because they had to ‘agree’ to Google’s entire privacy policy and terms and conditions in order to access the its products.
The CNIL concluded that the data subjects’ consent was not freely given, because they had not been sufficiently informed due to the use of multiple documents and the unclear depiction of the services and websites that would be involved in the ‘ad personalisation’ section.
Further, the CNIL noted that before creating a Google account, each user was asked to agree to the company’s terms of service and privacy policy, which he or she could only amend at a later time by going into ‘more options’ and de-selecting ad personalisation.
The CNIL thus concluded that this agreement did not constitute ‘specific, informed and unambiguous’ consent in accordance with Article 4(11) of the GDPR.
The fine imposed by the CNIL and reporting of it
This is the first time that the CNIL has applied the new sanction limits provided by the GDPR since its entry into force on 25 May 2018.
Pursuant to the GDPR, a two-tiered sanction regime applies in case of violation of data protection laws. The lower tier, up to EUR 10 million or 2% of the company’s global annual turnover, applies to infringements listed in Article 83(4) of the GDPR (including infringements of the provisions on the records of processing activities, the security of processed data, notification of a personal data breach to the data protection agency (‘DPA’), etc.). The higher tier, up to EUR 20 million or 4% of the company’s global annual turnover, applies to infringements listed in Article 83(5) of the GDPR (including infringements of data subjects’ rights and the ‘basic principles’ of data processing, for example conditions for consent, lawfulness of processing and processing of special categories of personal data).
When deciding whether to impose a fine or its amount, the following factors are taken into consideration by the DPA pursuant to Article 83(2) of the GDPR: the nature, gravity and duration of the infringements in light of the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; the intentional or negligent character of the infringement; any action taken by the controller or processor to mitigate the damage suffered by data subjects; the controller’s or processor’s degree of responsibility in light of the technical and organisational measures implemented by them; any relevant previous infringement by the controller or processor and the degree of cooperation with the DPA to remedy the infringement and mitigate the possible adverse effects of the infringement; and the categories of personal data affected by the infringement.
In this case, the CNIL indicated that its decision to apply the higher level fine as well as to publicise the fine (on its official websites and those of the French legislature) was justified by the seriousness of Google’s violations of the GDPR’s basic principles of transparency, information and consent.
The CNIL also specified that, despite the measures implemented by Google (documentation and configuration tools), the huge amount of data, the wide variety of services and the almost unlimited number of possible combinations involved in its data processing operations required it to enable users to control their data effectively and to give valid consent by sufficiently informing them. Having failed to do so, Google deprived its users of essential guarantees.
Its decision was further influenced by the fact that Google’s violations were not one-off incidents or limited in time, but rather continuous breaches of the GDPR. To illustrate the reach of Google’s violation, the CNIL pointed out the large market share held by Android in France and the thousands of French data subjects who create a Google account each day in relation to their Android use.
Lastly, the CNIL pointed out that as the company’s business model was partly based on ad personalisation, thus Google had all the more reason to ensure that it complied with its GDPR obligations.
What can employers learn from this decision?
Though this decision only concerned user data, given the unprecedented amount of the fine, it should be considered a warning to all companies to ensure that their personal data management practices, including on HR matters, are GDPR compliant.
It is clear from the CNIL’s decision that claiming to be compliant is not enough. Companies need to ensure that the information provided to applicants and employees on the processing of their personal data is clear, unambiguous and easily accessible.
Employers should also ensure that data processing operations involving employee personal data rely on a ‘legal basis’ other than consent, since employees may withdraw their consent at any time, which would create practical difficulties for the employer. Moreover, the European Data Protection Board has indicated that consent is not valid in the event of a ‘manifest imbalance’ between the data subject and the controller, such as in the relationship between employee and employer.
Lastly, employers should be aware of the GDPR’s ‘one-stop-shop’ mechanism: this mechanism pertains to cross-border data processing operations and provides that an organisation established in the EU can only have one point of contact, the ‘lead authority’. This lead authority is the DPA of the member state where the organisation’s main establishment is located and it cooperates with the DPAs in the other countries involved before making a decision on cross-border data processing operations.
In this case, given that Google LLC’s European headquarters is in Ireland, one might have expected the Irish DPA to have competence to decide the claim brought against it. However, following exchanges with its European counterparts, especially with the Irish DPA, the CNIL found that Google had no ‘main establishment’ in the EU on the grounds that Google’s Irish establishment did not have decision-making power over the data processing operations carried out in relation to the Android operating system or the services provided by Google in relation to the creation of a Google account during the configuration of Android cell phones. Therefore, the ‘one-stop-shop’ mechanism was not applicable according to the CNIL and the French DPA was competent to control data processing operations carried out by Google LLC in France, as were the other DPAs in their respective countries.
The view from other places
Ius Laboris Belgium February 6, 2019 at 09:44
In our small, but complicated trilingual country, the DPA has not become fully operational since the application of the GDPR. The problem so far has been that the law on the transformation of Belgium’s former Privacy Commission to the DPA provides that the DPA direction committee should be composed of five members, one of whom should speak German. Apparently, until recently, no one who was interested had passed the German test. In January 2019, new tests took place and a couple of candidates passed the German test. It is expected that the members of the direction committee will be appointed by Parliament prior to the May 2019 elections. Only then (about a year after the application of the GDPR), can inspections and sanctions such as in France be expected in Belgium. – Stephanie Raets – Claeys & Engels
Ius Laboris Spain February 6, 2019 at 09:46
The Spanish DPA is fully operational under Organic Law 3/2018 of 5 December 2018 on the protection of personal data and guarantee of digital rights. Although the DPA has not yet imposed a fine under the GDPR, it should be taken into consideration that complaints have increased 33% compared to last year. In the past, Google was fined EUR 900,000.00 by the DPA for the commission of three serious infringements, the maximum amount allowed by the law in force at that time. – Gisella Rocio Alvarado Caycho – Sagardoy Abogados
Ius Laboris Hungary February 6, 2019 at 09:47
In Hungary, the DPA started operating shortly after the application of the GDPR on 25 May 2018. Inspections and proceedings have been already initiated under the GDPR, however, fines have not yet been issued by the Hungarian DPA. Although the general legislation related to GDPR has already been adopted in Hungary, there are still no legislative provisions regulating sector data management. Many legislative provisions will have to be amended in the future; hopefully most of the amendments will be made in 2019. – Dr. Nóra Óváry-Papp – CLV Partners
Ius Laboris Sweden February 6, 2019at 09:50
In Sweden, the DPA (Datainspektionen) has not yet fined any organisation under the GDPR. The director general for Datainspektionen has stated that it is important to make examples, but also to show respect for companies that have invested a lot of money, resources and effort in becoming compliant. Datainspektionen has also recently initiated an investigation regarding Google’s access to Android users’ location data by using ‘Location History’ and ‘Web & App Activity’ functions. According to the complainant, Google uses deceptive design, misleading information and repeated ‘pushing’ to manipulate users into allowing constant tracking of their movements. The complainant holds that the processing of location data is unlawful, and that Google is in violation of Articles 5, 6, 7, 12, 13 and 25 of the GDPR. Datainspektionen has sent a request for information to Google. Google has until 15 February 2019 to answer. – Sofia Lysén – Elmzell Advokatbyra AB
Ius Laboris Austria February 6, 2019 at 09:51
So far, the Austrian DPA has imposed fines on the basis of the GDPR and its national transformation in four cases, all concerning illegal video surveillance. The fines ranged from EUR 300 to EUR 4,800, far removed from the level of the CNIL Google fine.
If the Google case were filed in Austria, assuming that the DPA were the competent authority, it is likely that it would come to the same conclusions on the merits as the CNIL. However, deviating from the CNIL, pursuant to Section 11 of the Austria Data Protection Act, the DPA has to apply the GDPR regulations, including the sanctions detailed in Article 83, proportionately. Consequently, before imposing a fine, the DPA will make use of its power to settle the case by issuing warnings. If a violation of the GDPR cannot be settled by issuing a warning, the first fine imposed can also be expected to be reasonable based on these principles. It is therefore unlikely but not excluded that the Austrian Data Protection Authority will impose sanctions of a comparable level to the CNIL. – Birgit Vogt-Majarek & Andreas Kezer – Schima Mayer Starlinger Rechtsanwälte GmbH
Ius Laboris Netherlands February 6, 2019 at 09:53
The Dutch Data Protection Authority (DDPA) has not yet issued any fines based on the GDPR. However, the DDPA is entitled to do so based on the Dutch implementation act. The DDPA did recently (November 2018) impose a fine based on previous privacy legislation. The fine was imposed on Uber: Dutch privacy rules already included the possibility of imposing fines for data breaches before the GDPR.
The DDPA is entitled to impose similar fines to the French authority. The implementation act only includes minor limitations on imposing fines regarding unlawful processing of criminal personal data and imposing fines on public bodies. The DDPA is also entitled to impose incremental penalties (that is, to issue an order to rectify and impose penalties on the organisation if the order is not complied with). Although fines similar to that imposed in France can also be expected in the Netherlands, it is more likely that pursuant to the Dutch system of general administrative law, the DDPA will impose incremental penalties rather than fines. – Ilse Baijens – Bronsgeest Deur Advocaten
Ius Laboris Cyprus February 6, 2019 at 10:44
In Cyprus, the DPA has recently announced the start of drastic inspections and audits in both the public and private sector. Its aim is to give guidance to organisations and not to impose high administrative fines, except if there is a very serious issue or breach. Seven inspections have already been carried out. From 25 May 2018 until the end of 2018, the DPA received a total of 281 complaints (103 of them concerning ‘spam’ marketing messages). It was notified of 32 personal data breaches and has issued four decisions with fines up to EUR 11,500. Also, in the DPA cooperation system, 255 cross-border cases have been registered, for which two decisions have been issued. The DPA has stressed that under Article 57 and 58 of the GDPR, it is within its powers to carry out inspections to monitor and enforce compliance. It remains to be seen what further inspections and fines will be imposed. – Doria Papanicolaou – George Z. Georgiou & Associates LLC
Ius Laboris Lithuania February 6, 2019 at 10:47
News of the CNIL’s fine on Google spread quickly and was widely discussed in the local media. The official reaction provided by the Lithuanian DPA was that they agree with the interpretation of the provisions of the GDPR and the arguments made by the CNIL in this case. In was suggested that local companies should learn from this CNIL decision and make adjustments in the way they process personal data in order to be compliant. The DPA also announced that the ‘grace period’ of six months is coming to an end and that fines will follow in Lithuania as well (when the GDPR came into force, the DPA announced that they would not impose fines for the first six months). – Renata Vasiliauskienė – COBALT
Ius Laboris Czech Republic February 6, 2019 at 12:14
In January 2019, the Czech DPA received a complaint against Google from a data subject represented by the non-profit organisation dTest, o.p.s. It concerned the processing of users’ personal location data. The complaint relates to Google not acting transparently in processing personal data and is based on Norwegian consumer research, which has also been the basis for complaints in other member states. Applying GDPR rules on cross-border cases, the Czech DPA informed the Irish Data Protection Commissioner about the complaint. Because Google´s main EU establishment is in Ireland, the Irish office should become the lead authority for Google’s data processing activities.
We see a lesson here for employers, who should be aware of their obligation to inform employees of personal data processing. Their obligations are not limited to providing a sufficiently clear and comprehensible privacy notice, but extend to communicating with employees about their rights and obligations, for example via the HR department, Q&As, regular training, or preparing summarised versions of the privacy notice. Using these channels may ensure better GDPR compliance where a simple privacy notice may not be detailed enough. Our practical experience demonstrates that these initiatives help prove that the employer (as controller) is making best efforts to ‘get the information into employees’ heads’. – Irena Lišková & Jakub Lejsek – Randl Partners
Randl Partners has joined into the international alliance GALA
Pavel Randl and Irena Lišková joined the GALA international alliance of lawyers specializing in advertising law.
GALA will provide clients of Randl Partners through partner law firms around the world with comprehensive legal advice and answers to questions relevant to international groups, entrepreneurs, advertisers and advertising agencies.