GDPR related updates across the EU Vol.4
1. Requirements for GDPR compensation after the ECJ decision in UI v Österreichische Post
In the case of UI v Oesterreichische Post, the European Court of Justice (hereinafter: “ECJ”) made a significant ruling on the 4th of May 2023 that has far-reaching implications for the General Data Protection Regulation (hereinafter: “GDPR”) and the rights of individuals in the European Union (hereinafter: “EU”). This ruling revolved around the question of whether data subjects, individuals whose personal data is processed, can claim compensation for non-material damage resulting from a GDPR violation, such as distress or emotional harm. The ECJ's decision clarified that under the GDPR, individuals have the right to seek compensation for non-material damage when their data protection rights are violated. To be eligible for compensation under Article 82(1) of the GDPR, three cumulative conditions must be met: (i) an infringement of GDPR, (ii) damage suffered, and (iii) a causal link between the infringement and the damage. The ECJ clarified that the mere infringement of GDPR provisions is not sufficient to confer a right to compensation. However, the Court reassured that requiring non-material damages to reach a certain level of seriousness is not compatible with EU law. Article 82 GDPR does not impose a threshold for the seriousness of non-material damage. Thus, the absence of a seriousness threshold ensures a broad interpretation of 'damage' as mandated by recital 146 of the GDPR. In summary, the ECJ's decision in UI v Oesterreichische Post has expanded the scope of compensation claims under the GDPR and has recognized that data protection extends beyond financial harm and encompasses non-material damage. The Austrian Supreme Court has not issued a decision, hence the amount of damages in this particular case has yet to be determined.
2. Individual's right to access their personal data as prescribed in the ECJ decision in Case C 579/21 (Pankki S)
On 22 June 2023, the ECJ rendered a substantial judgment concerning an individual's right to access their personal data. In this case (C-579/21 - Pankki S), an employee who was also a customer of the bank Pankki S discovered that his personal data had been accessed by other bank staff several times between November 1 and December 31 2013. This led the employee, who had been dismissed from the bank, to request information about the identities of those who had accessed his data, the dates of access, and the purposes behind these actions. Pankki S refused to disclose the identities of the employees involved, arguing that this information constituted the personal data of these employees. The employee sought assistance from the Data Protection Supervisor's Office in Finland but was denied, prompting him to take legal action. The ECJ reiterated that data subjects have the right to obtain information about operations involving their personal data, including dates and purposes of these operations, from the data controller. However, there is no absolute right to know the identities of the employees conducting these operations unless it's essential for the data subject to effectively exercise their GDPR-conferred rights, while respecting the rights and freedoms of the employees. Thus, the data subject was denied access to the personal information of the other employees. When conflicts arise between a data subject's right to access their data and the rights or freedoms of others, a balance must be struck, with a preference for communication methods that do not infringe on others' rights and freedoms. Finally, the Court stressed that the data subject's dual status of a customer and a former employee of the bank does not impact the extent of their right to access their data.
3. Debt collection agency in Croatia fined €5.470.000
On 5 October 2023, the Croatian Supervisory Authority (hereinafter: “SA”) imposed a substantial administrative fine of €5,470,000.00 on the Debt Collection Agency EOS Matrix d.o.o. (hereinafter: “EOS Matrix”) due to a series of violations concerning the GDPR. The case began with an anonymous petition received by the SA in March 2023. The complaint alleged unauthorized processing of a large amount of personal data by EOS Matrix. The data included information on individuals with outstanding debts to credit institutions that EOS Matrix had acquired. Notably, the database contained details of minors, which raised significant concerns. The SA found that EOS Matrix did not implement adequate technical measures within its data processing system, particularly in its primary database, which handled the personal data of approximately 370,000 individuals. This lack of technical safeguards failed to detect unusual activities, like an increased number of data retrievals or unauthorized data transfers, as required by Article 32 of the GDPR. Additionally, EOS Matrix processed personal data of individuals who were neither debtors nor legal representatives in debtor-creditor relations, without a legal basis as required by Article 6(1) of the GDPR.
4. Irish Data Protection Authority orders TikTok to eliminate unfair design practices concerning children
Following the EDPB’s dispute resolution issued on the 2nd of August 2023, the Irish Data Protection Authority (hereinafter “Irish DPA”), found that TikTok violated GDPR's fairness principle when processing personal data of children aged 13-17 between 31 July and 31 December 2020. The Irish DPA adopted the EDPB's legal assessment under Art. 65(1)(a) of the GDPR after addressing some objections by some concerned supervisory authorities. The final decision highlights that TikTok's public default settings contradict data protection principles, resulting in a reprimand, a compliance order, and a fine of €345.000.000. The full decision is available in the “Register of Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism”. More details on the EDPB’s Binding Decision can be found in Vol. 3 of this Newsletter.
5. Swedish Data Protection Authority issues administrative fine against insurance company for security deficiencies
The Swedish Authority for Privacy Protection (hereinafter: “IMY”) initiated an investigation into the insurance company Trygg-Hansa after receiving a complaint. The complaint stemmed from a security issue where a link provided by the company allowed access to other policyholders' documents without requiring a login, simply by altering a few numbers in the web link. IMY's investigation revealed that from October 2018 to February 2021, approximately 650,000 customers' data was accessible to unauthorized individuals. The exposed documents contained sensitive personal data, including detailed health information and financial details, alongside contact information, social security numbers, and insurance details. This security lapse enabled a comprehensive understanding of an individual's private circumstances. IMY determined that the security flaws were fundamental and should have been addressed by the insurance company before implementing the IT system or during its extended use. Consequently, IMY imposed an administrative fine of 350.000.000 SEK (approximately €2.800.000) on the company for failing to implement adequate technical measures to safeguard against these risks.
6. EDPB-EDPS Joint Opinion 01/2023 on the Proposal for a Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679
In April 2022, the European Data Protection Board (hereinafter: "EDPB" ) reaffirmed its commitment to enhancing cross-border cooperation for data protection. The EDPB identified areas in need of harmonization, known as the 'EDPB wish list,' which were sent to the European Commission in October 2022. The list covers procedural aspects like the rights of parties in administrative procedures and complaint handling. Following that, on 4 July 2023 the European Commission proposed a Regulation to improve data protection enforcement and consulted the EDPB and the European Data Protection Supervisor (hereinafter: “EDPS”). Adopted on the 19th of September 2023, the EDPB and EDPS support the Proposal on their Joint Opinion 01/2023, as it aligns with many of their recommendations. According to their Opinion, the Proposal seeks to complement the GDPR by specifying procedural guidelines, enhancing cooperation and harmonizing the procedural rights for the parties involved. In addition, the EDPB and the EDPS highlight that adequate resources are crucial for the effective enforcement of the GDPR, considering the potential increase in workload for supervisory authorities.