COVID-19 outbreak sparks privacy concerns

In this context, some EU data protection authorities published specific guidelines on the application of the GDPR. For instance, the Hungarian, Irish and the Spanish authorities suggest that an employer might be able to rely on Art. 9(2)(b) when processing health data of employees, if they have specific legal obligations in the field of employment, to safeguard the health of employees. The French and Italian authorities discourage mandatory systematic data collection from employees through testing and health questionnaires. The French and Belgian DPAs expressly prohibit employers from applying drastic measures such as mandatory temperature measuring. The Hungarian and Irish authorities do not oppose the application of questionnaires to employees and visitors, however, these should be necessary and proportional (in the case of Hungary, such questionnaires cannot collect data on medical history). The privacy supervisors encourage preventive actions such as raising employee risk awareness, establishing internal reporting channels and promoting distance working.

Here are direct links to the EU privacy supervisors’ guidance and further resources:
EDPB Statement
CNIL – France
DPC – Ireland – COVID-19
DPC Ireland – Working from home
Garante – Italy
AEPD – Spain
APD – Belgium
Hungary – NAIH (EN article)
Data Protection Authority of Baden-Württemberg (EN article)
ICO – UK
FPF Summary of DPA guidance
Hogan Lovells comparative table
Taylor Wessing comparative table
DataGuidance worldwide summary

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

We’re also engaging with the privacy professionals community through our LinkedIn company page, so please follow us if you want live updates on relevant privacy issues in Romania.

GDPR enforcement actions

The Irish Data Protection Commission, has commenced an ex-officio Statutory Inquiry, with respect to Google that will set out to establish whether Google has a valid legal basis for processing the location data of its users and whether it meets its obligations as a data controller with regard to transparency.
The Bergen Municipality was fined with €170,000 by the Norwegian DPA after files containing the personal data of over 35,000 pupils and employees of the municipality’s primary schools were left unprotected and openly accessible for any system user regardless of type of authorization.
The Italian DPA (Garante) applies a huge fine on a telecom company for unlawful marketing practices.
Austrian DPA decided that a company has violated art. 32 of the GDPR by not imposing a double opt-in mechanism (article in English).
Read here about the steps taken by a Spanish company to minimise the risks following a data breach reported to the Spanish DPA.
The Finish DPA decided that audio recordings are considered personal data and that the right to access must be applied (see here a summary in English).

Guidelines & reports

EDPB
Publishes draft guidelines on processing personal data in the context of connected vehicles and mobility related applications. Public consultations end on 20 March 2020.
Releases a two-year review of GDPR, and its success.
Publishes statement on privacy implications in mergers.

Spain
Technical note identifying potential privacy problems regarding the use of Domain Name System Protocol, and the implications of illegitimate data processing resulting from this (direct download link).
 Technical note for privacy and mobile apps.
English version of its rules for compliance of processing that embeds Artificial Intelligence (direct download).

Germany
The Bavarian DPA for the Private Sector publishes list of don’ts when handling data subject requests (see here an article in English).
Independent Centre for Data Protection Schleswig-Holstein clarifies how non-anonymized real data can be used in test systems (see here an article in English).

Ireland
The Irish DPC publishes Guidance for Controllers on Data Security.
Irish DPC Blog: Does the GDPR Really Say That? – Attendee Lists and Name Tags.

Denmark
The Danish supervisory authority (Datatilsynet) publishes practical advice on “the most common pitfalls to avoid” when developing and implementing cookie consent banners (see here an article in English).

Belgium
Belgian DPA aims to help organisations and marketers with detailed direct marketing guidelines.

France
The French CNIL issued guidance on contract as a legal basis for processing under GDPR (article in English).

Netherlands:
The Dutch DPA publishes recommendations for protecting privacy for users of connected cars (document in Dutch) (article in English).

Greece:
The Greek DPA issues Cookie guidelines (Greek only).

EDPS
Publishes Guidelines on personal data and electronic communications in the EU institutions (direct download).
Issues its Opinion on Opening of negotiations for a new partnership with the UK.

ENISA, the EU Agency for Cybersecurity has published Standards Supporting Certification, a report concerning frameworks, schemes or standards that can potentially be evolved to EU candidate cybersecurity certification schemes.
Isle of Man Information Commissioner: guiding points on CCTV in various scenarios.
The UK Centre for Data Ethics and Innovation recommendations aim to make online targeting more accountable, increase transparency, and empower users to take control.

Case-law & legislation

ePrivacy
  Amendments regarding EU ePrivacy Regulation proposal have been published by the Council of the European Union (21.02.2020).

Developments in Romania
The Authority for the Digitalisation of Romania has been established through Government Decision no. 89.2020.
The Constitutional Court of Romania has declared unconstitutional the Government Emergency Ordinance no. 62/2019 (which sought to collect the ID data of SIM card buyers), citing a lack of urgency regarding the regulation.
Anti-Money Laundering legislation in Romania: Application norms have been adopted for Law no. 129/2019.
The National Bank of Romania issues Regulation on security measures applicable to payment services.
The Romanian DPA clarified that data processing consent is not required for making public doctoral works, if a legal obligation exists for such publishing.
The Romanian Supreme Court established that a distance contract for financial services constitutes a writ of execution even in the absence of a handwritten signature or an extended electronic signature.

Decisions from the EU
A Dutch court stops an automated surveillance system based on AI which was used for detecting welfare fraud because it violates human rights.
Hamburg Court clarifies the situation regarding the main establishment in case of a controller with multiple EU establishments (see here an article in English).
France: First court decision applying the GDPR to facial recognition.

More data protection news

European Commission published findings from screening of nearly 500 e-shops – two thirds of the websites do not comply with basic consumer protection rights. The EC also communicated its European strategy for data.
Microsoft publishes open source tool for data mapping, which helps link ISO 27701 control corresponds to which legislative frameworks applicable to data protection (including the GDPR).
Investigation finds that UK Councils are sharing information with private companies about users of their websites – including when they seek help with a benefit claim, or with a disability or alcoholism.
Facebook’s German branch fined 51,000 euros for not appointing a DPO, should serve as “warning” for others, as per German DPA. The company has also postponed its launch of a dating feature on the online platform, following concerns of the Irish privacy supervisor.
Ireland: Employees of top law firm reportedly prohibited from working from home if near Amazon Alexa devices, following concerns over leaked information.
Man allowed appeal at Irish High Court over the use of CCTV cameras in a disciplinary action against him “taking unauthorized breaks and controversial graffiti drawing”.
Canadian Privacy Commissioner files Notice of Application with the Federal Court against Facebook.
Ireland: Catholic Church records may be inspected over GDPR concerns related to the right to deletion in the case of persons wishing to leave Catholicism.
Egypt will have a data protection law.
The BBC reports that Clearview AI, the face-collecting company had its database hacked.

Recommended articles

Laura Berton: Has the liability issue with AI been resolved?
This Entrepreneur article states a number of ways in which employers can, or have already, tracked the activity of their employees using tech.
DataGuidance: Comparative law article regarding the cookie privacy policy throughout the EU.
Future of Privacy Forum: A one minute video describing how lack of privacy and inability to exercise free speech go hand in hand.
Medium: “I have nothing to hide. Why should I care about my privacy?”.
LifeHacker: Complete guide to data privacy online.
IAPP: EU representative on ‘How to operationalize Article 27’ of the GDPR.
CJEU Factsheet: Electronic commerce and contractual obligations (direct download).
OSF: Civil Society Organizations and General Data Protection Regulation Compliance: Challenges, Opportunities, and Best Practices.
WhistleB Blogs: What is happening with the EU Whistleblower Protection Directive in the different countries?
IAPP: 11 drafting flaws for the European Commission to address in its upcoming GDPR review
Fieldfisher: Subject Access Requests and the Search for Proportionality.

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Our newsletters are available for information purposes only and cannot be relied on as legal advice.