GDPR fines. What can we learn from mistakes? April-May 2020

Unknown company

Imposed fine. The Netherlands Supervisory Authority for Data Protection (AP) has imposed a fine of 725,000.00 euros.

The Netherlands AP found that the company should not have processed employees’ fingerprints, as it did not have valid legal grounds to do so. It was stated, the company could not rely on exceptions to the processing of this special category of personal data and the company could also not provide any evidence that the employees had given their consent to this data processing.

According to Netherlands AP, the company could not rely on either of these two exceptions as:

– Employees’ consent is generally not considered valid, given the relationship of subordination between employer and employee (i.e., consent would not be freely given);

– The necessity of the processing for authentication or security purposes can only be relied on when buildings and information systems must be secured in such a way that this cannot be done without the use of biometric data (i.e., biometrics can only be used if there are no less invasive measures available).

Accordingly, the Netherlands AP concluded that the use of fingerprint processing by the company was unnecessary and disproportionate, therefore it was the breach of GDPR Articles 5 and 9.

What can we learn:

– The biometric data is classified as special categories of personal data whose processing is subject to stricter requirements. Therefore, data controllers must identify both a lawful basis under GDPR Article 6 and an appropriate condition under GDPR Article 9 of for processing of such data.

– One of the conditions when special category of personal data could be processed is when data subject has given explicit consent to the processing of that personal data, so biometric data can be processed with received clear, unambiguous, appropriately informed data subject’s consent, provided that data subject is  given alternative identification options where biometric data is not processed.

– In case if the consent is received, it shall be possible to provide the evidence that data controllers‘ have the valid and freely given consent by data subjects. Moreover, it shall be taken into consideration that the consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without consequences for data subject.

– Data controllers have to ensure that data subjects are adequately informed about the key elements of data processing in conformity with GDPR Article 13: the identity of the data controller, the purposes of data processing, type of data processed, duration of the data processing and other key points set forth by the mentioned GDPR Article 13.

– The data is used no longer than necessary.

– Data controllers have the obligation to conduct Data Protection Impact Assessment before using biometric data.

Read more about the use of biometric data here: https://ecovis.lt/remote-customer-identification-how-to-be-compliant-with-gdpr/ , https://ecovis.lt/biometric-data-proceeding-what-should-be-known/

Proximus SA

Imposed fine. The Belgian data protection authority (the Gegevensbeschermingsautoriteit / Autorité de protection des données – Belgian DPA) has imposed a fine of 50,000 euros on the largest telecommunications operator in Belgium – Proximus SA for lack of appointment of data protection officer (“DPO”).

On April 28, 2020, Belgian DPA has issued a decision to fine Proximus SA for appointing the director of compliance and audit department as the DPO that constituted an infringement of Article 38 (6) of the GDPR. The Belgian DPA stated that Proximus SA did not have any system in place in order to prevent a conflict of interest of the DPO which led the Belgium DPA to the conclusion that the function of the DPO could not be conducted independently.

According to the Belgian DPA, a DPO “may not have significant operational responsibility for data processing activities carried out by those departments while also advising on, and supervising such data processing as DPO”.

What can we learn:

– Although the GDPR allows the data protection officer to fulfil other tasks and duties, the data controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

– The existence of a potential conflict of interest should be considered on a case-by-case basis. It should be evaluated if the performance of the DPO’s tasks and functions will not be monitored and evaluated later by the same person performing simultaneously other functions in the company.

– Data controller should prepare a list of positions that cannot be combined with the DPO functions and should develop an internal procedure that excludes the possibility of combining positions and functions that are in conflict.

– Data controller should also remember to properly design the scope of duties in employment contracts (or contracts for the provision of services) so that the possibility of conflict of interest is excluded.

Twoo

Imposed fine. The Belgian DPA has imposed a fine of 50,000 euros for a Belgian-based social network Twoo for the violations of the General Data Protection Regulation.

According to the data protection authority, the social network application has been collecting and processing the personal data of third persons, on the application’s user’s mobile device, while enabling an opportunity for the application’s users to invite their friends or contacts to join the social network and use its services without a valid legal ground under the GDPR – prior without receiving a consent of the invited persons.

The application has offered its users an “invite a friend” option. The network allowed its users to invite third persons to use the platform without receiving the third person’s consent before (or at the time of) sending the invitation.

The data protection authority stated that the social network Twoo has violated the provisions of the Article 6 of the GDPR by sending the invitations to third persons whose contacts were provided by the users of the social network, without the consent of the third persons or any other legal ground under the GDPR.

What can we learn:

– The data controller by including the option to “invite a friend” into his technical decision must ensure that such processing of personal data would comply the principles relating to processing of personal data and that it is lawful in the context of an appropriate legal ground.

– Only the data subject whose personal data is processed may consent to process this data. It is important to keep in mind that the consent for a child that is under the age of 16 years old (unless the national law provides a lower age limit) must be given or authorised by the holder of parental responsibility over the child.

– The data controller, while collecting personal data through an implemented technical solution, must firstly assess if the persons have given a clear and unambiguous consent for their data processing if the data is processed on the legal basis of consent.

Get in touch