GDPR related updates across the EU
1. EDPB adopts final version of Guidelines on data subject rights - right of access
Following public consultation, on the 28th of March, the European Data Protection Board (EDPB) has adopted a final version of the Guidelines on data subject rights - Right of access. The right of access allows individuals to be informed, regarding the processing of their personal data, in a transparent way and via easily accessible information. The Guidelines analyze the several aspects of the right of access while providing more precise guidance on how the said right must be implemented in different situations.
2. Launch of the 2022 Annual Activity Report of the EDPB
On the 17th of April 2023, the EDPB presented its 2022 Annual Activity Report. The report provides a summary of the work carried out by the EDPB in the last year. The objectives for 2023 include, among others:
- the support of effective enforcement and efficient cooperation between national supervisory authorities;
- a fundamental rights approach to new technologies;
- the assurance of global dimension and understanding.
3. CNIL issues €125,000 Fine Against E-Scooter Rental Company
CNIL (French DPA) found that Cityscoot, a Scooter Rental Company, collected the geolocation of rented e-scooters every 30 seconds and kept a record of this information. CNIL concluded that in doing so, Cityscoot breached their obligation of data minimization under Article 5 of the EU General Data Protection Regulation (GDPR). Furthermore, they determined that this type of processing is highly intrusive, and the service could be provided without collecting its users’ geolocation on an almost permanent basis. This decision was taken in cooperation with the Spanish and Italian data protection authorities, as Cityscoot offers its services in these countries as well.
4.Complaint about receiving unwanted calls from a telecommunications company.
A complaint was filed to the Office of the Commissioner for Personal Data Protection by a former telephone number holder of Epic Ltd (hereinafter; Epic). The complainant was receiving telephone calls from the company's sales department at inappropriate times. These calls were made from a list maintained by Epic, which, in addition to the complainant, also included other telephone numbers, (332 in total). It was not clear how the list in question operated or on which legal grounds it was based, and the said data was preserved for longer than the prescribed period. Consequently, it was found that the calls in question were carried out without a legal basis, in breach of Article 6(1) of the GDPR. Further, Epic breached Articles 24(1) and 24(2), as well as Article 32(1) for failing to implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing was carried out in accordance with the Regulation, and to guarantee an appropriate level of security against risks. According to the Commissioner’s decision on 3 February 2023, an administrative fine of €3250 was imposed on Epic due to the said violations.
5.Complaint about the installation and operation of a Closed-Circuit Video Surveillance System in a private company
According to the decision of the Commissioner for Personal Data Protection, on the 2nd of September 2022, a real estate developer company, KUUTIO HOMES LTD (hereinafter; KUUTIO) breached its obligations under the GDPR. The issue concerned the installation and operation of a closed-circuit video surveillance system (hereinafter; CCTV) inside the offices of KUUTIO, monitoring the stuff during working hours. It later became apparent that KUUTIO was also receiving images from public areas outside its building. It was found that the obligations under Articles 5 and 6, specifically the obligation of data minimization and the obligation to limit the processing when relying on Article 6(f), were breached. Due to the said violations, the Commissioner for Personal Data Protection ordered the following against KUUTIO:
- to completely disable the CCTV cameras that take pictures inside the offices, waiting rooms and meeting rooms;
- to fully disable exterior cameras that take images of public areas and areas outside of its private property;
- to implement the appropriate measures so that the CCTV cameras that may be put into operation comply with the provisions of the Regulations.
6.CJEU judgement of 12 January 2023, C-154/21; strengthening of the right to access under Article 15 of the GDPR
An Austrian citizen asked for access, under Article 15 of the GDPR, to the personal data concerning him, which were being stored or had previously been stored by a postal service (hereinafter; the controller). The data subject had requested information about the recipients, in the case that the data had been transferred to third parties. The courts at first instance and on appeal dismissed the action on the ground that Article 15's referral to ‘recipients or categories of recipient’, gives the controller the option of informing the data subject only regarding the categories of recipient, without having to specifically identify them. After an appeal to the Supreme Court, the case was referred to the CJEU for the interpretation of the said provision. According to the CJEU,the obligation of the controller to communicate to the data subject the specific identity of the recipients of its data is included in Article 15, excluding exceptional circumstances. Those circumstances include the case when it is impossible to identify the recipients and when the controller proves, within the meaning of Article 12(5), that the data subject’s requests for access are without grounds or excessive due to their repetitive character.
7.CJEU judgment of 20 October 2022, C-306/21; protection of personal data during elections.
The lawfulness of the Guidelines, which specify that the purpose of processing personal data through video recording in the context of the electoral process is to ensure transparency, objectivity, legitimacy of the electoral process, equal treatment of the actors in this process, as well as freedom of expression and the right to information, was questioned. The parties mainly argued on the interpretation of Article 2(2)(a) as to whether under this provision the conduct of elections is excluded from the scope of the GDPR. It was stated that Article 2(2)(a) should be interpreted strictly and has the meaning that this Regulation does not apply to the processing of personal data in the context of "activities which fall outside the scope of Union law, such as activities relating to national security" and "activities relating to the common foreign and security policy of the Union". Thus, the CJEU ruled that Article 2(2)(a) of the GDPR must be interpreted as to include to the general scope of the Regulation the processing of personal data during the conduct of elections in a Member State. Additionally, it was ruled that, under Articles 6(1)(a) and 58, the competent authorities of a Member State shall have the power to adopt administrative measures restricting or prohibiting the video recording of the counting of votes at polling stations during the conduct of elections in that Member State.
The announcement was published on 8 May 2023, and it concerns approximately 30 audits which were carried out on news and other related public information websites. The main issues identified, were as follows:
Some cookies were wrongly categorized as 'strictly necessary', when in fact they did not belong to this category.
On the basis of the above, the operators of the websites complied with their legal obligations. The compliance of the websites will be continuously reviewed by the Commissioner’s office, in order to ensure further conformity according to the standards set by the European Data Protection Board (EDPS).