GDPR related updates across the EU Vol.6

1. Complaint regarding failure to satisfy the right to deletion

A complaint was filed with the Federal Supervisory Authority of Germany against Freedom Finance Europe Ltd (hereinafter referred to as "the Company") concerning the failure to satisfy the complainant's right to deletion. As the Company is primarily based in Cyprus, the Office of the Commissioner for Personal Data Protection (hereinafter referred to as “the Cypriot DPA” undertook the investigation of the complaint on 18/9/2021.

The complainant stated that they had initiated a registration process on the Company's website, which they did not complete, and requested the deletion of any collected information. After not receiving confirmation that their request had been fulfilled, they sent a reminder, to which they also did not receive a response.

The Company supported that, although the complainant's deletion request was not sent to the correct email address, they confirmed that the complainant's personal data had been deleted and provided relevant evidence, deemed satisfactory.

The Cypriot DPA has found a violation of Article 12(3) of the GDPR as per their Decision, dated 7^th September 2023, as the requests for deletion were not satisfied within a month, and of Article 24(1) as the Company had not adequately implemented technical and organisational measures to ensure that all email messages received by employees regarding data subjects' rights are forwarded without further delay. A reprimand was issued to the Company as there was no prior violation of the Regulation on their part.

2. Requesting Excessive Identification Information to Comply to a Subject Access Request by Technius Ltd

A complaint was filed at the Dutch Regulatory Authority against Technius Ltd (hereinafter referred to as "the Company"), the operator of the StripChat website, regarding the denial of access rights and failure to inform about a data breach incident involving the complainant. As the Company is primarily based in Cyprus, the Office of the Commissioner for Personal Data Protection (hereinafter referred to as “the Cypriot DPA”) undertook the investigation of the complaint on 23/12/2021.

The complainant learned through media outlets that the StripChat website had suffered a data breach. Subsequently, he discovered that an unknown third party had created an account on StripChat using his personal email address. The complainant then contacted the Company to request a copy of his personal data held by the company and to inquire if his data had been affected by the breach.

The Company requested identification documents from the complainant and informed him that his account would be deleted as it was created with malicious intent. The Company also claimed that the complainant's access request was satisfied as they provided all necessary information and explanations regarding the account opened with his email address, as well as all available information about the breach incident.

The Cypriot DPA, in their Decision dated 4 October 2023, after considering the above found a violation of Article 5(1)(g) of the GDPR, as the data controller had no reasonable cause to request additional verification from the complainant. Additionally, as per the Cypriot DPA, Article 34(1) was breached since the Company did not properly disclose the personal data breach. A reprimand was issued to the Company, acknowledging their lack of prior violations and prompt compliance with the Cypriot DPA’s instructions.

3. EDPB Report Highlights Challenges and Recommendations for Data Protection Officers

The European Data Protection Board (EDPB) unveiled its latest report on 17 January 2024 during its recent plenary session, shedding light on the findings of its second coordinated enforcement action. Focusing on the designation and positioning of Data Protection Officers (DPOs), the report marks a significant step in enhancing data protection practices across the European Union.

Anu Talus, Chair of the EDPB, emphasized the importance of the Coordinated Enforcement Framework (CEF), enabling closer cooperation among data protection authorities (DPAs) to ensure efficiency and consistency. Talus highlighted the crucial role of DPOs in upholding compliance with data protection laws and safeguarding data subject rights. Through the CEF, DPAs conducted an EU-wide investigation into the capabilities of DPOs in fulfilling their obligations as mandated by the GDPR, resulting in a comprehensive analysis of existing challenges and recommendations for improvement.

Throughout 2023, 25 DPAs spanning the European Economic Area (EEA), including the European Data Protection Supervisor (EDPS), embarked on coordinated investigations into the status and effectiveness of DPOs. Soliciting feedback from a diverse array of organizations across both public and private sectors, the inquiry amassed over 17,000 responses, providing invaluable insights into the landscape of DPO roles five years post-GDPR implementation.

While the report acknowledges certain hurdles encountered by some DPOs, such as inadequate resources or lack of independence, it also underscores positive trends. The majority of surveyed DPOs expressed confidence in their skills and knowledge, receiving regular training and operating without undue interference. However, disparities persist, with a notable portion of DPOs facing challenges in fulfilling their roles effectively.

To address these challenges, the report presents a series of recommendations aimed at bolstering DPO independence and ensuring adequate resource allocation. Suggestions encompass heightened awareness-raising efforts by DPAs, coupled with organizational measures to support ongoing education and skill enhancement for DPOs. Accompanying the report are two appendices detailing statistical insights gathered during the enforcement action and national reports from participating DPAs.

4. French SA Imposes €75,000 Fine on Tagadamedia for GDPR Violations in Data Collection Practices

In a recent Decision dated December 29, 2023, the French Supervisory Authority (SA) imposed a €75,000 fine on Tagadamedia, a company operating online competition and product testing websites, as part of an investigation into commercial prospecting practices. The SA focused on data brokers, intermediaries in the data resale ecosystem. Tagadamedia was found to collect prospect data through forms on its websites, claiming to obtain consent for processing. However, the forms did not align with GDPR requirements, lacking the elements necessary for free, informed, and unambiguous consent. Even a new form submitted during the sanction procedure did not rectify this issue, leaving the processing operation without a legal basis.

The French SA identified two GDPR breaches: the failure to establish a proper legal basis for data processing (Article 6 of the GDPR) and the failure to implement a record of processing activities (Article 30 of the GDPR). As a result, Tagadamedia faced an administrative fine of €75,000. This decision underscores the importance of obtaining valid consent in compliance with GDPR regulations and maintaining accurate records of processing activities.

5. Complaint regarding unauthorized access to former patient’s General Health System account

An investigation was conducted by the Cypriot DPA into a complaint dated 22/03/2021 concerning a doctor's unauthorized access to the General Health System (hereinafter referred to as “GHS”) account of a former patient. The complainant had undergone surgery performed by the doctor in 2018, predating the implementation of GHS. Subsequent to a Google Reviews evaluation by the patient, the doctor filed a claim against the complainant, seeking damages for purported defamatory publications. Following this, the doctor accessed the complainant's beneficiary GHS file on two occasions.

Taking into account the pre-existing relationship between the parties and the doctor's possession of the complainant’s data, access to the complainant's file could be deemed justifiable if in accordance with Article 9(2)(h) of the GDPR. Article 9(2)(h) pertains to the exemptions from the prohibition of processing special categories of personal data where the processing is necessary for health or medical reasons.

However, during that particular timeframe, the complainant was not actively receiving services from the doctor. Therefore, the application of Article 9(2)(h) of the GDPR is not justified in this context.

In light of the above, in the Decision of the Cypriot DPA dated 05/12/2023 a breach of Article 9(2)(h) of the GDPR was found by the doctor and a reprimand was issued. The Cypriot DPA’s Decision factored in both some aggregating and mitigating elements, inter alia, the fact that the doctor is no longer contracted with GHS.

6. EDPB’s Coordinated Enforcement Framework on the right of access

The European Data Protection Board (hereinafter referred to as “EDPB”) has announced on the 28^th February 2024 that it has initiated a Coordinated Enforcement Framework (CEF) action, involving the collaboration of 31 Data Protection Authorities (hereinafter referred to as “DPAs”) from across the EEA, including 7 German-state supervisory authorities. The aim of the CEF for 2024 is to streamline better enforcement of the right of access.

The focus of EDPB on the right of access can be justified as it is one of the rights closer to the data subjects and enables them to exercise other rights, like the right to erasure. The EDPB has already issued guidelines on the right of access, aiming to assist organisations in better responding to requests from data subjects regarding their right to access their data. As part of the initiative, the DPAs will send questionnaires to organisations to identify any needs for formal investigation regarding any right of access violations and/or non-compliant practices. If needed, they will proceed with conducting a formal investigation and also follow-up on any ongoing formal investigation.

Upon the completion of the CEF, the DPAs collectively will decide on the necessary forthcoming actions and the EDPB will publish a report on the insights they have gathered through this CEF action.

This marks the third initiative under the Coordinated Enforcement Framework. The two previous coordinated initiatives addressed the use of cloud services by the public sector and the definition and role of Data Protection Officers, respectively.

7. ECJ Ruling: Data Protection Authorities to Delete Unlawfully Obtained Personal Data

The recent decision by the European Court of Justice (Case C-46/23), dated 14 March 2024, mandates national data protection authorities to delete unlawfully obtained personal data, even without a prior request from the data subject. This ruling ensures full compliance with GDPR and prevents ongoing illegal processing by data controllers.

The case originated from a Hungarian municipality's mishandling of personal data during the COVID-19 pandemic relief efforts. The Hungarian Data Protection Authority (hereinafter “Hungarian DPA”) fined the municipality for violating GDPR rules. In particular, the Hungarian DPA found that the municipality did not inform the data subjects within one month on the usage of their data and their related rights under the GDPR. On the contrary, the municipality contested the Hungarian DPA’s order to delete data of eligible individuals without their written request.

The European Court of Justice clarified that Data Protection Authorities have the power to order data deletion to rectify GDPR violations, regardless of whether a request is submitted by the data subject. This prevents data controllers from unlawfully retaining and processing personal data without consent. The decision also emphasized the Data Protection Authority's role in safeguarding personal data, whether obtained directly from the data subject or from another source.