Others

CASES, SANCTIONS AND CLAIMS

The European Court of Human Rights published a factsheet with some relevant case law regarding data privacy and Art. 8 of the European Convention on Human Rights.
The European Court of Justice published the judgement in Case C‑193/18 dealing with the concept of electronic communications networks and services.
The CJEU Advocate General Campos Sánchez-Bordona delivered the Opinion in case C‑78/18 (European Commission v Hungary) concerning the national law which required transparency for donations from abroad made to certain NGOs. The AG finds the measure “unjustified and disproportionate interference with the rights of those who make donations to respect for their privacy and to the protection of their personal data”.
The Dutch Supreme Court ruled that “Street parking enforcement via licence plate scanning is lawful and proportionate interference with article 8 ECHR”.
The Romanian Court ruled that displaying a court decision containing the names of the parties, as well as their other identifying data, in a public, visible and easily accessible place is likely to infringe the data subject’s right to protection of personal data.
European Court of Human Rights (ECHR) has published a factsheet containing a summary of the most relevant cases on data protection.
European Court of Human Rights (ECHR) has published a factsheet containing a summary of the most relevant cases on data protection related to the new technologies.
The Belgian Market Court has quashed a previous decision by the litigation chamber of the Belgian Data Protection Authority (BDPA) in relation to the use of the Belgian electronic identity card as a means of obtaining a loyalty card at a liquor store. The Belgian DPA issued a fine of EUR 10,000 for a merchant who required customers to provide their ID cards to be scanned to receive loyalty cards.
European Court of Human Rights published a factsheet with the summary of the new cases on New Technologies.
The Hungarian National Authority for Data Protection (the lead supervisory authority in this case) has rejected a complaint lodged with the Romanian data protection authority for lack of evidences. The DPA considered the complaint being ungrounded (see the decision here).
According to Advocate General Szpunar, a service that puts taxi passengers directly in touch, via an electronic application, with taxi drivers constitutes an Information Society service (see here the press release).
Finland: Nokia is being investigated for possible GDPR violations concerning unencrypted data transfers from Nokia phones to servers in China.
EDPS: Investigation into contractual agreements concerning software used by EU institutions.
Investigation launched by EDPS into the contracts between Microsoft and EU institutions.
The EDPS publishes preliminary results in the investigation of the use of Microsoft products by EU institutions.
In Germany, the Baden-Wuerttemberg Authority imposed a fine of EUR 1,400 on a police officer who was accessing personal data for private purposes through official means.
The Austrian DPA imposed an administrative fine of 18 million euros on Österreichische Post AG after conducting administrative fine proceedings.
Tusla fined by Data Protection Commission over three GDPR breaches.
A lawyer gets fined €2,000 under the GDPR, by the Spanish DPA. According to the authority’s resolution, the lawyer has summoned the tenants of a property on two occasions, by reusing sheets of paper containing third-party personal data (names) on the reverse side.
Romanian DPA imposed a fine of €3,000 against Telekom Romania Communications SA. Romanian DPA found that the controller did not implement enough security measures in order to include the verification of the accuracy of personal data collected by telephone (remotely) for the purpose of concluding contracts.
The Hungarian DPA imposed two fines (in the amounts of approx. €7,225 and €5,780) on the publisher of Forbes Hungary in connection with publishing the list of the 50 wealthiest Hungarians and the list of the biggest family-owned businesses (Both texts available only in Hungarian).
GDPR and garbage bins – in a surprising case originating from Ireland, the DPA confirmend that any litter collected in the postal office public bins would not be subjected to GDPR laws. An Post, the Irish postal services provider, removed all public bins from a certain post office, measure caused by, as stated by them, potential privacy breaches under the GDPR.
No, it is not necessary to ban visitors’ books because of GDPR.
A formal GDPR complaint has been submitted against Google for infringing Article 5(1)b of the GDPR, which sets forth the “purpose limitation” principle.

REPORTS AND ARTICLES FROM OTHER ORGANISATIONS

Global Privacy Enforcement Network: 2018 report on the implementation of privacy accountability around the world.
Bird & Bird: Guide to the General Data Protection Regulation.
Information technology – ISO/IEC 29184 has been published. ISO/IEC 29184 concerns “content and the structure of online privacy notices as well as the process of asking for consent to collect and process personally identifiable information (PII) from PII Principals”.
“We need to talk about terms and conditions” – an article by Giovanni Buttarelli on the EDPS blog.
Authorities in Bucharest are reported to plan a survey of pet owners, which raises issues about data minimization (article in Romanian).
The Privacy Icons Forum was launched, which is “a collaboration of institutions that focus on the development, design and implementation of data privacy and data protection icons.”
pdpEcho: Brief case-law companion for the GDPR professional.
Valentina Pavel, PI Mozilla-Ford Fellow: Our Data Future.
Privacylawblog.fieldfisher.com: Accountability – the enabler to evidencing your compliance under the GDPR.
The Guardian: These new rules were meant to protect our privacy. They don’t work.
OSF: Civil Society Organizations and General Data Protection Regulation Compliance: Challenges, Opportunities, and Best Practices.
IAPP: 11 drafting flaws for the European Commission to address in its upcoming GDPR review
Bird&Bird: Implementation of the Trade Secret Directive – An Update from Poland.
(2020, Oct) Radboud Repository published “The purpose and limitations of purpose limitation”.

OFFICIAL GUIDELINES, REPORTS AND STATEMENTS

EDPS: The Hitchhiker’s Guide to Regulation 2018/1725.
ISO: First ISO standard on information privacy management has been published.
Irish DPC: Guidance Note on Data Protection Basics.
European Commission: results of survey conducted on topics regarding GDPR and the Charter of Fundamental Rights.
Technlogylawdispatch: German DPA released audit checklist for GDPR readiness.
German DPAs (DSK) propose changes to the GDPR, based on their experience so far.
Council: position and findings on the application of the GDPR (direct download).
Finnish DPA: FAQ section in English.
Irish DPC: comments on whether data protection law can apply to opinions.
EDPB: two-year review of GDPR, and its success.
Irish DPC Blog: Does the GDPR Really Say That? – Attendee Lists and Name Tags.
EDPS: Guidelines on personal data and electronic communications in the EU institutions (direct download).
Irish DPC: Guidance for retailers Issuing e-Receipts.
EDPS: Brochure on Flowcharts and Checklists on Data Protection.
EDPS: Opinion 3/2020 on the European strategy for data.
European Commission: Data protection rules as a trust-enabler in the EU and beyond – taking stock (direct download).
ENISA publishes report on the main supervision changes brought by the European Electronic Communications Code.
EDPS: annual report for 2019 containing statistics, the role of EDPS in relation with the implementation of GDPR, Court Cases, EDPS’ structure, the role of DPO (Data Protection Officer) at the EDPS, etc.
Dutch DPA: press release stating (only in Dutch) that the tax system does not comply with the GDPR.
(2020, Sep) The European Court of Human Rights published a case-law summary (Factsheet), comprising judgements and pending applications on the topic of data protection.