GDPR related updates across the EU Vol.5

1. Decision of the Cypriot Commissioner for Personal Data Protection concerning the cyber-attack on the Land Registry.

On January 3, 2024, the Cypriot Commissioner for Personal Data Protection issued their second decision regarding cyber-attacks on the Land Registry and Mapping Department's DLS Portal. Despite the attacker not accessing personal data, data availability was affected due to system disruption for investigation purposes.

The Commissioner emphasized the responsibility of ensuring continuous system availability and reliability. Following a review of the pre-incident measures, investigation results, and planned security reinforcements, a Regulation violation due to inadequate security measures was identified.

On December 21, 2023, the Commissioner issued a Reprimand and instructed the Department to update on implementing additional measures, acquiring equipment, new system penetration testing results, and timelines for enhancing system security within two months.

The Commissioner clarified that consideration was given to certain aspects of the attack, which limit the impact of the set attack. Significantly, the attacker did not obtain access to personal data, and the period of restricted data availability due to the attack was brief (full system restoration within a month, physical services resumed within a week). Finally, the Commissioner reported an absence of substantial damage to data subjects.

2. EDPB’s response on the cookie pledge initiative

The EDPB has issued a response letter to the European Commission concerning the cookie pledge voluntary initiative. In this letter the EDPB supports the Commission's effort to safeguard user rights, enable informed choices, and enhance transparency regarding cookies.

The European Commission’s aim, under the cookie pledge initiative, is to tackle the "cookie fatigue" via businesses voluntarily committing to simplify cookie management and personalized advertising choices for consumers. This response was adopted after the European Commission’s request for EDPB's assessment of the draft pledge's compatibility with the GDPR and ePrivacy Directive.

As per the EDPB, the proposed principles within the pledge aim to provide users with clear information about their data processing and the implications of accepting different types of cookies, offering users greater control over their data. Additionally, under these principles, consent, once refused, would not need to be requested again for a year, a step aimed at reducing cookie fatigue.

Nevertheless, the EDPB has clarified that the cookie pledge initiative should not be utilized for any circumvention of the legal obligations of the data controller. Moreover, adhering to the cookie pledge does not automatically ensure compliance with the GDPR or ePrivacy Directive as data protection authorities retain their authority to take action when necessary.

3. EDPB's Urgent Decision on Meta's Behavioural Advertising Data Processing

The European Data Protection Board (EDPB) issued an urgent binding decision on October 27th, 2023, instructing the Irish Data Protection Authority (IE DPA) to impose a ban on Meta Ireland Limited (Meta IE) for processing personal data for behavioral advertising based on contract and legitimate interest across the EEA. The decision of the IE DPA, issued on the 10^th of November 2023 was preceded by a request from the Norwegian Data Protection Authority for the adoption of the respective EEA-wide ban.

The EDPB found Meta's use of contract and legitimate interest as inappropriate legal bases for processing personal data for behavioral advertising, constituting an infringement of GDPR Article 6(1). Furthermore, Meta's non-compliance with previous DPA orders was also noted. The urgency arose from the risks posed to data subjects' rights and freedoms due to these infringements.

This decision of the EDPB towards the IE DPA to impose the aforementioned ban was a result of the findings regarding ongoing infringements of the GDPR and the urgent need to act to safeguard the rights of the data subjects. In regard to the notion of urgency, the EDPB highlighted that as the regular cooperation mechanisms faltered and the urgency for final measures was evident, the risk of harming the data subjects was present. Additionally, the urgent need for action also stemmed from the IE DPA’s failure to timely respond to a mutual assistance request from the NO DPA, as mandated by the specified timeframe in the GDPR.

Ultimately, the EDPB's decision led to the IE DPA adopting its final decision, reinforcing the ban on Meta IE's data processing practices for behavioral advertising purposes all across the EEA.

4. Cross-border case on the responsibilities of joint controllers

The Slovak Supervisory Authority (SA) informed the Hungarian Supervisory Authority (SA) regarding its objection to processing conducted by a Foundation operating two Hungarian-language websites, citing potential violations of GDPR Articles 5 and 6. The recordings hosted on the Foundation's websites featured children from a Slovak Primary School.

Following the notice by the Slovak SA, the Hungarian SA investigated the determination of goals and means of data processing, examining the roles of the Slovak school and the Foundation. They found joint participation between the Slovak Primary School and the Foundation regarding data processing purposes, with closely linked or complementary objectives.

In light of the above, Article 26(1) of the GDPR requires joint controllers to transparently define their responsibilities for compliance. However, there was no clear arrangement between the Foundation and the Slovak Primary School regarding joint processing and respective responsibilities. Hence, the Foundation breached Article 26(1) due to the absence of an agreement addressing these requirements.

In conclusion, the Hungarian SA issued a notice to the Foundation under Article 58(2)(d) of the GDPR, instructing it to adhere to the obligations for joint controllers in future joint processing activities.

5. Cyberattacks and responsibility of data controllers

The ECJ’s judgment in Case C-340/21 (Natsionalna agentsia za prihodite) established that the fear of potential misuse of personal data can be considered non-material damage on its own. The case involved the Bulgarian National Revenue Agency, responsible for handling public debts, which faced a cyberattack resulting in the unauthorized publication of millions of individuals' personal data online. Individuals filed lawsuits seeking compensation for the fear of potential data misuse.

The Bulgarian Supreme Administrative Court sought clarification on GDPR interpretation by submitting a request for a preliminary ruling by the Court, specifically regarding compensation conditions for non-material damage when personal data held by a public agency gets exposed and ultimately leaked online due to cybercriminal activity.

The Court, firstly, highlighted that merely experiencing unauthorized disclosure or access to personal data does not automatically imply inadequacy of the implemented protective measures. Nonetheless, courts should assess the adequacy of these measures, whilst the burden of proving the appropriateness of these protective measures falls upon the data controller. Furthermore, if unauthorized disclosure or access to data is caused by a third party, i.e., cyber-attackers, the data controller might be liable to compensate data subjects unless it can prove it is not responsible for that damage. Lastly, and more notably, the sole fear experienced by data subjects concerning potential misuse of their personal data due to GDPR infringement can constitute non-material damage.

  6.ECJ Ruling on indirect exercise of data subject's rights by supervisory authority

The ECJ’s ruling in Case C-333/22 (Ligue des droits humains) establishes that decisions made by a supervisory authority in regard to the indirect exercise of the data subjects’ rights, are legally binding and subject to judicial review.

In this specific case, a citizen asked the Belgian National Security Authority for professional security clearance but was denied due to past participation in demonstrations. Seeking access to his data, the citizen approached the Supervisory Body for Police Information, which informed him he has only indirect access and that it will itself proceed to verify the lawfulness of this data processing. At last, the individual was merely informed that the necessary verifications has been carried out.

The ECJ clarified that the supervisory authority's communication of verification outcomes constitutes a binding decision. It emphasized the data subject's right to challenge the authority's assessment on the legality of the data processing and whether or not it adopted corrective measures. Accordingly, the supervisory authority has to to inform the data subject of the necessary verifications and of their right to judicial remedy. However, Member States should offer comprehensive information beyond minimum disclosure, enabling the data subject to defend their rights effectively. Where minimal information is provided, courts must evaluate the public interest against citizens' procedural rights when reviewing the supervisory authority's decision.

7. Romania levies a fine of €110,000 on Rompetrol for unauthorized use of customer data in obtaining loans.

The Romanian Data Protection Authority, ANSPDCP, imposed a substantial fine on Rompetrol, a petroleum trading company, after the security breach of its clients and employees.

ANSPDCP's investigation followed multiple breach reports filed by Rompetrol between July 2021 and February 2022. The findings of the investigation revealed the unauthorized extraction of personal data from both customers and employees, subsequently used for obtaining loans without their knowledge. The illegally disclosed data contained information such as names, surnames, ID numbers, addresses and photos as well as employee salary information.

ANSPDCP's findings highlighted Rompetrol's failure to implement necessary technical and organizational measures for controlling system access, resulting in a breach of GDPR Article 32. Consequently, a €110,000 fine was imposed on Rompetrol. Although Rompetrol acknowledged the incident, they argued that they had taken sufficient security measures. They attributed the breach to a single terminated employee's unlawful actions.