Complycloud EU GDPR Report

ISSN 2794-6215 EU GDPR Casebook 2023 Compilation of decisions by national data protection agencies from May 2018 to May 2023 ComplyCloud & CIT Law Firm © ComplyCloud & CIT

EU GDPR Casebook 2023 Highlighting selected national data protection agency decisions from 2018 to 2023 with a primary focus on Denmark, Germany, Belgium, and the Netherlands. ComplyCloud og CIT Law Firm © ComplyCloud & CIT ComplyCloud ApS CVR: 35813764 Borgergade 24B, 3.-4. floor 1300 Copenhagen K Denmark www.complycloud.com When referencing this publication, the following source should be cited: ’ComplyCloud EU GDPR Casebook 2023’.

Welcome to ComplyCloud’s EU GDPR Casebook 2023 It is with great pleasure that I present to you the EU The GDPR’s five-year journey has been nothing short GDPR Casebook 2023. In this edition, the ComplyCloud of transformative. Since its introduction in May 2018, legal team has gathered, categorized, and analyzed the GDPR has given individuals greater control over a range of decisions from across the European Union, their personal data and introduced new standards for with particular focus on the Data Protection Agencies of businesses. It has shaped the digital transition in the EU, the Netherlands, Germany, Belgium, and Denmark. The guiding both domestic and international approaches time span of these cases ranges from the inception of to data regulation. the GDPR in May 2018 to May 2023. At ComplyCloud, we have been keen observers of Specifically, this Casebook highlights: this development, tracking the progression and • Cases resulting in the 10 largest GDPR fines from interpretation of the GDPR throughout the European each of our three focal countries; the Netherlands, Union. The ongoing evolution of GDPR, its impact, and Germany, and Belgium. the challenges it presents continue to be areas of focus • 10 intriguing cases from each of the three focal for us. However, in compiling this Casebook, our aim countries, handpicked due to their potential impact goes beyond mere observation; we strive to promote and unique features. transparency and provide a lens into the trends of • A collection of interesting cases from Denmark, in the GDPR and changes in its enforcement. The cases recognition of ComplyCloud’s core expertise. presented here underline the actions taken by national data protection authorities across the EU, with over 2.5 • Selected compelling cases from various other billion EUR in fines imposed for GDPR breaches. This EU countries, which we found to be of particular underscores the commitment to safeguarding data interest. protection within the EU. Through this comprehensive collection, we aim to paint In keeping with our tradition, we supplement our legal a picture of the evolving data privacy landscape in the analyses with a graphical presentation of key figures in EU, building on the principal decisions that continually data protection law. With our statistical overview, you expand our understanding of the General Data will be presented with EU-wide numbers on the nature Protection Regulation. Whether you are a seasoned of violations, fines, sectoral trends, and more. legal professional or a newcomer to the field of data On behalf of everyone at ComplyCloud, we thank protection, we believe this Casebook will serve as a you for your interest and engagement with our work. valuable resource in navigating the complexities of As we continue to navigate the intricacies of GDPR GDPR compliance. compliance, we are committed to providing you with the most current, comprehensive, and user-friendly resources. I hope you find the GDPR Casebook 2023 informative and useful. Enjoy your read! Best regards, Martin Folke Vasehus CEO & IT Lawyer ComplyCloud

Opens Fullscreen

Index GDPR in numbers 7 Berlin e-commerce group fined for DPO conflict of interest 52 01 Largest fines -Netherlands 15 VfB Stuttgart fined for neglecting the accountability principle 54 Tax administration fined for fraud blacklist 16 Tax administration fined for discriminatory processing 17 04 Selected interesting cases – Tennis association fined for selling personal data 18 Germany 55 National Credit Register (BKR) fined for personal Scalable Capital ordered to compensate data subject for data access 19 non-material damages 56 TikTok fined for violating children’s privacy 20 Company ordered to cover repair costs for customer 57 Company fined for processing employees’ fingerprint data 21 Insurance company ordered to cover the cost of repairs Municipality fined for missing legal basis for Wifi-tracking 22 for a customer 60 Foreign office fined for poor security 23 Data subject awarded reparation after unlawful transfer DPG Media fined for unnecessary ID requests 24 of IP addresses 61 Locate Family fined for not appointing a representative 25 Data subject awarded damages for unauthorized criminal background check 62 Data Processor’s promises regarding third-country 02 Selected interesting cases – transfer were valid 63 Netherlands 26 Claim of non-material damages rejected by Court 64 Can commercial interest be a legitimate interest? 27 Copyright law prioritized artistic freedom over personality rights 65 Grandmother ordered to delete Facebook photos of Disclosure of personal data for the enforcement of grandchildren 29 civil law claims 67 Legal basis for registration in Credit System 30 Dismissal of DPO in concerns of potential conflicts Surgeon sued Google for linking to articles about her 31 of interests justified under national legislation 68 Formal warning to supermarket about facial recognition 32 05 Largest fines – Belgium 69 Compensation for non-material damage 33 Right to access bank documents 34 Google Belgium SA Fined for violating the right to Does the right to access also extend to exams and be forgotten 70 comments? 35 Interactive Adverting Bureau Europe fined for the Mother’s right to rectification regarding opinion on non-compliance of its Transparency & Consent child’s safety 36 Framework 72 Uber, right to access and data portability 37 Brussels Zaventem Airport fined for processing health data about travelers 74 03 Largest fines - Germany 40 Brussels South Charleroi Airport fined for processing health data about travelers 76 H&M fined for insufficient legal basis for processing Financial company fined for lacking sufficient sensitive personal data 41 organizational measures 77 Notebooksbilliger.de fined for lack of legal basis for Bank fined due to a conflict of interest regarding its DPO 78 video surveillance 42 SA Rossel & Cie media company fined for unlawful 1&1 Telecom GmBH fined for insufficient security use of cookies 79 measures 44 Roularta Media Group fined for unlawful use of Brebau GmbH fined for for lack of legal basis and cookies 81 transparency 46 Family Service fined for unlawful consent practices 83 AOK Baden-Württemberg fined for failing to security Parking ticket control company fined for several of processing 47 GDPR violations 85 Volkswagen fined for not providing data subjects sufficient information about the data processing 48 Bank fined for creating costumer profiles without a legal basis 50 Vatenfall Europe Sales GmbH fined for not fulfilling transparency obligations 51 4

06 Selected interesting cases – 08 Selected interesting cases – Belgium 86 from other EU member states 130 EU DisinfoLab fined for processing and classifying tweets Consent-pay solution 131 and Twitter accounts according to political orientation 87 Lack of evidence of fraudulent use does not affect Company fined for restoring data on a former the classification of a breach 132 managing director’s work laptop 88 Is information about private relations sensitive CCTV operator fined for illegally installing cameras 89 personal data? 134 Private individuals fined for installing video cameras Grindr preliminarily fined for 100 million NOK on private property 90 for consent solution 135 Music company wrongfully fined for management SCHREMS II 137 of musician’s social media fan page 91 Deliveroo fined 2.5 million EUR for not informing Meta Platforms Ireland Ltd. fined for unlawful about automated processing 138 data processing 92 Meta tracking tools found to breach EU rules on Beverage company fined for using eID cards to data transfers 139 create customer loyalty cards 94 Italian DPA bans Chat GPT 140 Medical laboratory fined for several GDPR violations 96 Pseudomized data might not be personal data if the Employer reprimanded for discussing sensitive recipient has no means of re-identifying the data subject 142 personal data about an employee during internal Meta fined 405 million EUR for not handling HR meeting 98 teenagers’ data appropriately 144 School fined for processing data about minors without parental consent 99 09 Methods and Scope 145 07 Selected interesting cases – Methods and Scope 146 Denmark 100 About ComplyCloud 147 Publication of old club magazines 101 Processing of personal data in the context of online competitions 102 Serious criticism for processing personal data about website visitors 104 The dating service’s legal basis and personal data security 106 Næstved municipality: Public interest and cookies 108 Unauthorized access to video surveillance 109 Complaint about failure to erase 110 Gladsaxe Municipality: Court ruling in the Gladsaxe case 112 Transmitting sensitive information through text message 114 Serious criticism for insufficient testing of a software update 115 Sub-processor refused to provide data to the controller 116 Criticism of failure to fulfill information obligations 117 Authorization for municipalities to use the AI profiling 119 The Chromebook Case 1 120 The Chromebook Case 2 121 The Chromebook Case 3 123 The Chromebook Case 4 124 Serious criticism for unintended changes to shared medical record 125 University’s use of a monitoring program for online exams 126 FysioDanmark: Use of facial recognition system 127 DBA: Right to refuse a request for erasure 129 5

GDPR in numbers Statistical Overview: A Data-Driven Analysis of EU GDPR Enforcement through Country-Specific Trends, Sectoral Differences, and Violation Types. W T F S S M T W T M T 3 4 5 6 7 1 2 3 F S 1 2 11 12 13 8 9 4 5 S S 9 10 18 19 20 10 11 6 F S 6 7 8 16 17 14 15 16 17 12 7 M T 5 13 14 15 3 24 25 26 21 22 23 18 19 13 1 T 12 20 1 22 2 0 31 27 2 24 2 20 2 W 4 11 19 2 28 29 3 8 29 5 26 8 3 W T 3 10 17 18 5 26 27 30 3 2 14 15 9 1 4 T M 1 2 9 16 3 24 2 30 July augu 1 27 1 22 2 16 170 11 5 F S S 8 14 15 22 2 8 29 st 28 293 24 2 18 1 12 6 7 S S 6 7 13 20 21 27 2 June sept 30 5 26 9 20 13 T F 5 1 12 18 19 5 26 31 ember 31 2 14 8 1 M T W 3 4 10 1 17 24 2 30 27 2 1 22 15 9 2 3 O T 2 9 15 16 2 23 8 29 May ok 8 29 23 2 16 17 10 1 4 T M 1 8 14 21 2 27 2 tobe 30 4 25 18 1 12 5 F L 7 r 3 26 19 2 31 6 S S 7 6 3 1 0 2 9 1 6 2 1 3 0 1 2 0 7 L F 5 2 1 1 8 1 5 2 4 3 9 l i r p a v o n 8 2 7 2 2 1 2 1 4 1 8 1 M T 4 1 0 1 7 1 6 1 2 3 2 2 8 2 b m e 9 2 3 2 6 1 5 1 9 3 2 T O 3 9 5 1 2 2 1 7 2 r e 0 3 2 4 2 1 7 1 1 1 0 4 O T 2 1 8 4 1 2 1 3 s 1 3 6 2 5 9 1 8 2 1 5 T M 0 2 6 2 0 3 t r a m e c e d 2 0 2 3 1 6 L F 7 3 1 9 1 8 5 2 4 9 2 r e b m 8 2 7 2 1 2 4 1 7 S S 6 5 2 1 1 1 1 7 1 2 3 2 8 2 r a u r 9 2 3 2 2 5 1 8 L F 4 0 1 6 1 5 1 2 2 1 2 7 2 1 b e f r a u n a j 3 0 3 5 2 4 2 7 1 6 1 9 2 1 M T 3 9 4 1 3 0 3 2 1 6 2 8 1 1 0 1 3 T 2 8 6 2 9 2 8 2 2 7 2 6 2 9 1 1 1 4 O O 1 0 2 5 2 4 2 7 2 9 2 8 2 0 2 0 1 2 5 T T 9 1 8 1 3 2 2 2 1 2 4 2 3 2 2 2 1 1 3 6 M 7 3 1 2 1 7 1 6 1 5 1 5 2 6 1 5 1 4 7 L F 6 1 1 0 1 4 1 9 1 8 1 7 1 9 8 S S L 5 4 9 8 3 1 2 1 1 1 0 1 2 1 F T O 3 2 1 7 6 5 4 3 T M T M S L F T O

Fines based on different sectors Cumulative EU totals of fines across different sectors (EUR) The graph below illustrates the distribution of GDPR personal data and often adopt new technologies, fines across sectors, with each bar indicating the increasing their risk of data breaches. Their high public cumulative fines for non-compliance. The stark visibility and data sharing practices, particularly in disparity between sectors is evident, particularly the relation to targeted advertising, makes these sectors higher and more frequently imposed fines within media, more susceptible to complaints. telecom, broadcasting, and industry and commerce sectors. These sectors manage large amounts of Media, Telecoms and Broadcasting - 1,710,010,691 EUR Industry and Commerce - 857,983,141 EUR Transportation and Energy - 65,596,614 EUR Employment - 48,432,177 EUR Finance, Insurance and Consulting - 38,787,158 EUR Public Sector and Education - 24,267,463 EUR Accomodation and Hospitality - 22,446,648 EUR Health Care -15,981,209 EUR Real Estate - 2,586,531 EUR Individuals and Private Associations - 1,919,206 EUR ? Not assigned - 1,151,908 EUR 8

Number of fines across different sectors in the EU The graph below displays the total number of GDPR fines imposed in various sectors across the European Union. Industry and Commerce - 280 fines Media, Telecoms and Broadcasting - 244 fines Individuals and Private Associations - 201 fines Public Sector and Education - 187 fines Finance, Insurance and Consulting - 170 fines Health Care - 163 fines Employment - 113 fines Not assigned - 86 fines ? Transportation and Energy - 82 fines Accomodation and Hospitality - 56 fines Real Estate - 52 fines 9

Fines based on type of violaiton Cumulative sums of fines per violation type across the EU The graph below depicts the cumulative sums of GDPR fines for each type of violation across the EU. Each bar represents a different violation type, providing a clear comparison of the financial impact associated with each type of GDPR violation. Non-compliance with general data processing principles - 1,674,711,359 EUR Insufficient legal basis for data processing - 431,613,697 EUR Insufficient technical and organisational measures to ensure information security - 379,851,319 EUR Insufficient fulfilment of information obligations - 237,251,580 EUR Insufficient fulfilment of data subjects’ rights - 51,889,270 EUR Unknown - 9,250,000 EUR Insufficient fulfilment of data breach notification obligations - 1,778,582 EUR Insufficient data processing agreement - 1,057,110 EUR Insufficient involvement of data protection officer - 919,300 EUR Insufficient cooperation with supervisory authority - 840,529 EUR 10

Number of fines imposed by violation type across the EU The graph on the left displays the total number of GDPR fines imposed in the EU, broken down by violation type. Insufficient legal basis for data processing - 537 fines Non-compliance with general data processing principles - 424 fines Insufficient technical and organisational measures to ensure information security - 313 fines Insufficient fulfilment of information obligations - 165 fines Insufficient fulfilment of data subjects’ rights - 160 fines Insufficient cooperation with supervisory authority - 69 fines Insufficient fulfilment of data breach notification obligations - 31 fines Insufficient involvement of data protection officer - 15 fines Insufficient data processing agreement - 11 fines Unknown - 9 fines 11

Fines based on country EU Countries by number of fines The graph illustrates the count of GDPR fines among EU countries. The significant concentration of fines in Spain can be attributed to several factors, both inherent to the Spanish business landscape with a high concentration of SMEs, and the approach of the Spanish Data Protection Authority (AEPD). Spain - 646 fines Italy - 265 fines Germany - 148 fines Greece - 57 fines France - 34 fines Luxembourg - 31 fines Sweden - 29 fines Ireland - 24 fines Austria - 20 fines United Kingdom - 13 fines 12

Total sums of fines by country across the EU The graph presents the ten EU countries with the highest total sums of GDPR fines, illustrating where the most substantial penalties for non-compliance have been levied. Unsurprisingly, Ireland leads the chart; a consequence of its role as a European hub for many global tech giants like Google and Facebook, resulting in a high number of substantial fines. Sweeden United 15,000,000 EUR - 25,000,000 EUR Kingdom 25,000,000 EUR - 55,000,000 EUR 55,000,000 EUR - 80,000,000 EUR Germany Ireland Luxembourg 80,000,000 EUR - 295,000,000 EUR 295,000,000 EUR - 1,400,000,000 EUR France Austria France Italy Spain Greece 13

Ten highest fines Top ten GDPR fines in the EU This graph presents the ten largest GDPR fines imposed case commentaries in this Casebook. Our analyses across the EU. Each bar corresponds to a distinct case, provide insightful context and shed light on the with the financial penalty reflecting the severity of the justifications for these substantial fines, facilitating a GDPR violation considering the entity’s annual turnover. deeper understanding of GDPR compliance. To delve deeper into each of these cases, refer to the Amazon Europe Core S.à.r.l. - 746,000,000 EUR Meta Platforms, Inc. - 405,000,000 EUR Meta Platforms Ireland Ltd. - 390,000,000 EUR Meta Platforms Ireland Ltd. - 265,000,000 EUR WhatsApp Ireland Ltd.- 225,000,000 EUR Google LLC - 90,000,000 EUR Facebook Ireland Ltd.- 60,000,000 EUR Google Ireland Ltd.- 60,000,000 EUR Google LLC - 50,000,000 EUR H&M Hennes & Mauritz Online Shop A.B. & Co. KG - 35,258,708 EUR 14

Largest fines - Netherlands 01

Tax administration fined for fraud blacklist Summary The Dutch Tax Administration had a fraud identification • The FSV contained incorrect and obsolete facility (FSV) that contained a blacklist of data subjects information: 750,000 EUR (GDPR, Article 5(1)(d)). registering indications of fraud. • This particular data was stored for far too long: The FSV staff were instructed to use characteristics 250,000 EUR (GDPR, Article 5(1)(e)). about individuals, such as their ethnic heritage (i.e., Turkish, Moroccan, and Eastern European) as a • The FSV was not adequately protected: 500,000 EUR selection criterion for further tax investigations. (GDPR, Article 32(1)). In some cases, a data subject was labeled a ’fraudster’ • The Tax Administration waited over a year to ask its without this being subject to an adequate investigation. DPO for advice about assessing the risks of using Even if an investigation was carried out, and there the FSV: 450,000 EUR (GDPR, Article 32(2)). appeared to be no fraud indicators, this conclusion was often not noted, and so the suspicion of fraud remained. Our remarks Furthermore, risk analyses were based on incorrect • If a processing activity relies on the legal basis data in some cases. of “necessary for a task carried out in the public Inclusion on this blacklist meant that the data subject interest”, the law that the controller refers to must suffered economic consequences such as having his/ specifically permit the processing in question. her application for care allowance rejected or being This is also the case when the processing is within made ineligible for debt rescheduling etc. Around the general scope of the law. When a processing 270.000 people were on this list, and the processing activity becomes more detailed and invasive took place from 2013 to 2020. Information about (for example by processing special or criminal individuals on this list was shared with other authorities data) the requirement for clarity of the law is raised. and private entities. • When one is processing personal data, it is Furthermore, unauthorized employees of the Tax and important to describe the processing as precisely Customs Administration were able to view personal as possible. Furthermore, the purpose of the data in FSV due to the inadequate security of FSV. processing activity should always be clear. This can be mapped in a Risk Assessment and eventually The decision of the Dutch DPA followed by a Data Protection Impact Assessment. The Dutch DPA imposed a combined fine of 3,700,000 • If the controller has carried out illegal processing EUR on the Dutch Minister of Finances for the following and is not referred to its DPO, it is an aggravating violations (broken down into the corresponding fines): circumstance when the DPA is calculating the fine. • The Tax administration had no statutory basis for processing personal data in the FSV: EUR 1,000,000 • If a processor has previously been found to be in (GDPR, Article 6(1)). violation of the GDPR, the data protection authority • The purpose of the FSV was not specifically is inclined to issue a higher fine for the subsequent described in advance: 750,000 EUR (GDPR, Article violation. 5(1)(b)). Published: 07-04-2022 Journal number: N/A Tags: 01 Legal basis and principles of processing 16

Tax administration fined for discriminatory processing Summary Our remarks Between 2013 and 2019, around 26,000 parents were • Governmental bodies have a heightened wrongly accused of making fraudulent childcare benefit responsibility to perform lawful processing due to claims, requiring them to pay back the allowances they the power imbalance between the government had received in their entirety. The amount was up to ten and its citizens as the data subjects do not have a thousand euros. choice to have their personal data processed by the given authority. From January 2014, national legislation stipulated that if a person was of Dutch nationality, dual nationality was • The less far-reaching form of processing should no longer to be recorded. always be used when possible. For example, instead of using dual nationality as an indication of The Dutch Tax Administration continued storing data fraud, the Tax Administration should only check a about individuals with dual nationality after the change person’s nationality when there are other concrete in legislation in January 2014. In May 2018, approximately indications of fraud. 1.4 million Dutch citizens with dual nationalities were registered in a database used by the authority. • As a controller or processor, you should always be aware of national legislation that either prohibits In addition, the Administration processed the nationality or restricts certain types of processing or the of applicants to combat organized fraud. Applications processing of certain types of personal data. submitted by dual nationals were automatically marked as a ‘high risk-application’ by an algorithm and • The DPA will impose a higher fine if the data would be further investigated. subjects have suffered economic damages due to illegal processing. Furthermore, certain nationalities were used to detect organized fraud. Data subjects with certain nationalities were more likely to be checked for fraud. The decision of the Dutch DPA The Dutch DPA imposed a total fine of 2,750,000 EUR on the Dutch Ministry of Finances for the following violations (with corresponding fines): • Unlawful retention of data on dual nationality: 750,000 EUR (GDPR, Articles 6(1) and 5(1)(a)). • Unnecessary use of dual nationality as an indicator of the risk of fraud: 1,000,000 EUR (GDPR, Articles 6(1) and 5(1)(a)). • Inappropriate use of dual nationality to detect organized fraud: 1,000,000 EUR (GDPR, Articles 6(1) and 5(1)(a)). Published: 25-11-2021 Journal number: N/A Tags: 01 Legal basis and principles of processing 17

Tennis association fined for selling personal data Summary Our remarks The Dutch tennis association KNLTB sold personal data • A controller should be aware of how the DPA act about more than 300,000 members to two sponsors for during a case, and if they act according to formal the purpose of direct marketing. The personal data was procedures, etc. in the form of name, gender, address, and telephone numbers of members. The sponsors approached some • If the processing serves a purpose other than the of the KNLTB members by mail or telephone. one for which the personal data was originally collected, it should be assessed whether this other During the case, the Dutch DPA assessed if sharing purpose is compatible with the purpose for which personal data with sponsors was within the original the personal data has been collected. purpose of executing the membership. Secondly, it assessed if the KNLTB could rely on the legal basis of • In this case, the purpose of generating extra income legitimate interest when selling personal data. by selling personal data to sponsors was not within the original purpose of membership. Therefore, The KNLTB claimed that the Dutch DPA was biased in its the KNLTB should have obtained the consent of the approach because, in a news show, the DPA had given members for this action. the impression that the KNLTB had acted incorrectly while investigations were still ongoing. The Dutch DPA • The Dutch DPA stated that any solely commercial acknowledged this, but it did not have any legal effect purpose, such as interest in gaining income, could on the case as the proceedings in the case took place not qualify as a legitimate interest. This is quite a in accordance with formal procedures. restrictive interpretation of the scope of legitimate interest as a legal basis. The decision of the Dutch DPA The Dutch DPA imposed a fine of 525,000 EUR on the KNLTB for the following violations: • Selling personal data without a legal basis (GDPR, Article 6(1)). • Not making it clear to their members how their personal data was processed (GDPR, Article 5(1) (a)). • Processing personal data with a purpose that was incompatible with the original purpose for collection (GDPR, Article 5(1)(b)). Published: 20-12-2019 Journal number: N/A Tags: 01 Legal basis and principles of processing 18

National Credit Register (BKR) fined for personal data access Summary Our remarks The National Credit Register (BKR) in the Netherlands • Providing the data subject with free postal access offered two options for complying with a request for to personal data once per year does not entitle access from a data subject: data controllers to charge a subsequent fee for providing an electronic copy of the personal data. 1. A free option where a data subject could send a manual inquiry by post once per year, or • One cannot set up a general cap restricting the number of free requests a data subject can make 2. a paid yearly subscription option that gave the per year. It must be demonstrated on a case-by- data subject unlimited access to their personal case basis that the given requests are repetitive. data. • The ability to view data in a digital portal for a BKR argued that they were allowed to charge a fee for year after payment does not constitute repetitive electronic access because when a data subject had requests. Therefore, the data controller cannot, on a unlimited access to their personal data, it constituted general basis, charge a fee to provide access to the requests of a repetitive nature. data subjects. They also argued that they could set up a maximum • A data controller may never discourage data of one free access per year because more requests subjects to exercise the right to access their data. than that would be repetitive. They selected that figure The Dutch data protection found that the BKR had because the average number of consumers’ requests actively discouraged the exercise of this right when for access to their credit status was on average once a communicating one free access per year in its year. privacy policy. The decision of the Dutch DPA The Dutch DPA imposed a fine of 830,000 EUR on the BKR for the following violations: • Asking data subjects to pay a fee to provide them with electronic access to their personal data: 385,000* EUR (GDPR, Article 12(5)). • BKR’s practice discouraged data subjects to file an access request: 650,000* EUR (GDPR, Article 12(2)). *The total fine was reduced by 20% due to the similarities between the two violations and so that the DPA did not violate the principle of proportionality. Published: 20-12-2019 Journal number: N/A Tags: 01 Legal basis and principles of processing Published: 30-07-2019 Journal number: N/A Tags: 02 Right of access and obligation to provide information 19

TikTok fined for violating children’s privacy Summary Our remarks TikTok is an app that allows users to create, edit and Transparent information share short videos online. By the end of 2019, the app • When a controller is communicating with data was used by 830,000 Dutch children between the ages subjects who speak a different language, they of 12 and 18. must, where possible, provide a translation of the From 25 May 2018 to 28 July 2020 inclusive, the privacy information in a language that the data subjects policy of TikTok was only available in English. understand. This is especially the case when the data subjects are children. In this case, TikTok believed that the Dutch DPA did not • It cannot be an argument for not translating e.g., have the authority to impose a fine on TikTok as they a privacy policy, that the data subjects from a had their main establishment in Ireland. The DPA found specific nation, in general, have a good command that TikTok had a main establishment in Ireland from 29 of English. July 2020 and the Dutch DPA had competence until that • A data controller should be aware of who their date. data subjects are. When a large amount of users The decision of the Dutch DPA of a service are children, the wording should be adapted to children when communicating with The Dutch DPA imposed a fine of 750,000 EUR on TikTok them e.g., when writing the privacy policy. for only providing their privacy policy in English to Dutch children (GDPR, Article 12(1)). Competence of a DPA • Where a data controller has established their primary operations across multiple EU countries, the lead supervisory authority holds the principal responsibility for taking action towards this data controller. The lead supervisory authority is identified as the governing body situated in the state where the data controller’s primary operations are located. • If a company does not have a primary establishment in Europe, any EU member state is empowered to supervise its activities. In this case, the Dutch Data Protection Authority would be authorized to take action against any violations until such time as TikTok established its primary operations in Ireland. Published: 09-04-2021 Journal number: N/A Tags: 02 Right of access and obligation to provide information 20

Company fined for processing employees’ fingerprint data Summary Our remarks An unnamed company scanned the fingerprints Monitoring measures of employees in order to monitor attendance and • A consideration when implementing measures to absence. monitor employees is that this should always be The scanning machines calculated a template of the done in the least impactful manner. In this case, fingerprint and stored it as a text file. both attendance and absence could have been monitored by using a chip or keycard, resulting The fingerprint templates were recorded at the in the employer refraining from processing any beginning of 2017 and were still stored in 2019. This sensitive data. included employees that had resigned from the • The use of biometric data for access monitoring is company. only suitable when unauthorized access can have There was no documentation of any policies or major negative consequences. This is, for example, procedures relating to employee consent, either the case when monitoring access to high-security permitting or refusing the recording or storage of facilities like nuclear power plants. fingerprints. Consent as a legal basis in employment The company argued that the supplier of the scanning • An employer should think twice before using system should have pointed out the GDPR violation but consent as a legal basis for processing personal this argument was found to be irrelevant by the Dutch data about their employees. It is difficult to obtain DPA. consent that is freely given due to the inequality between employees and employers. In some cases, The decision of the Dutch DPA the legal basis for these processing activities can The Dutch DPA imposed a fine of 725,000 EUR on the be a legitimate interest if the employer can justify unnamed company for processing biometric data in the purpose of the processing. the form of fingerprints for the purpose of monitoring • If an employer decides to use the consent of absence (GDPR, Article 9(1)). employees as a legal basis, policies or procedures for how the consent is obtained and recorded should be provided/readily available. To ensure that consent is freely given, it is necessary that the employee does not suffer any negative consequences by refusing to consent. Accountability • A data controller cannot put the responsibility on suppliers when it comes to the choice of measure to achieve a purpose. It will always be the data controller’s responsibility to ensure compliance with the services they use. Published: 09-04-2021 Journal number: N/A Tags: 02 Right of access and obligation to provide information Published: 30-04-2020, Journal number: N/A Tags: 01 Legal basis and principles of processing 21

Municipality fined for missing legal basis for Wifi-tracking Summary Our remarks The municipality of Enschede used WiFi counting in the • If a processing relies on the legal basis “necessary city center with the aim of measuring how crowded the for a task carried out in the public interest”, the law city center was. that the controller refers to must specifically allow the processing activity in question. It is not sufficient Sensors were placed in high streets that detected the for ”day-to-day administration” to legitimize the WiFi signals from the mobile phones of passersby. Each use of WIFI in such cases. phone was registered separately and given a unique code. • Moreover, when collecting data for one purpose, the data controller should consider if the data could be The ‘counting’ became ‘tracking’ as it was possible used for other purposes. This consideration should through data analysis to deduct information about be included in a risk assessment. specific persons. For example, where they worked or lived, or in some cases if they went to church, etc. • Even if a data controller has a legal basis for monitoring citizens, this should always ensure that The decision of the Dutch DPA the processing is conducted in the most privacy- The Dutch DPA imposed an administrative fine of friendly way possible. For example, instead of 600,000 EUR on the Municipality of Enschede for WiFi-tracking cell phones, they could have used an processing personal data of owners/users of mobile automatic visitor counter. This alternative would devices without any legal basis (GDPR, Articles 5(a) and not collect any personal data, while still serving the 6(1)). purpose of counting visitors. Published: 29-04-2021, Journal number: N/A Tags: 01 Legal basis and principles of processing 22

Foreign office fined for poor security Summary Our remarks Over the last three years, The Dutch Ministry of Foreign • If a controller must live up to certain security Affairs has processed approximately 530,000 visa requirements due to specialist legislation, these applications per year. requirements will often align with GDPR, Article 32. This is because Article 32 of the GDPR obliges To facilitate the Schengen visa process, the Ministry the data controller to ensure appropriate security used the National Visa Information System (NVIS) as measures in light of the nature, scope, context and its digital platform. However, the security measures of purposes of processing personal data. the NVIS were inadequate, leading to the possibility of unauthorized access and tampering of files. • When the sensitivity of the personal data is high, the requirements for safety measurements also rise. Additionally, the Ministry failed to inform visa applicants When dealing with highly sensitive personal data, about the sharing of their personal data with the requirements for safety measures also increase third-party entities. correspondingly. The decision of the Dutch DPA • Within an organization, user access should always The Dutch DPA imposed an administrative fine of be limited in a way so that employees only have 55,000 EUR on the Ministry of Foreign Affairs for access to necessary personal data corresponding inadequate security regarding visa applications (GDPR, to their role. This can be achieved by implementing Article 32). procedures for granting and revoking user access to different employees at different points in time. • Logging is an effective way to ensure technical security. However if the logs contain personal data, procedures must be implemented to ensure compliance with data processing regulations. Published: 29-04-2021, Journal number: N/A Tags: 01 Legal basis and principles of processing Published: 06-04-2022, Journal number: N/A Tags: 05 Data security 23

DPG Media fined for unnecessary ID requests Summary Our remarks DPG produced magazines that subscribers could • When data controllers are unsure about the receive by taking out a subscription. In order to send identity of a data subject making a request, they the magazines to subscribers, DPG collected personal can request additional information to confirm data, including the subscribers’ names, addresses, and the identity of the data subject in question, as financial information such as bank data. stated in GDPR, Article 12(6). However, this does not entitle the data controller to automatically When individuals requested access to or erasure request more information when receiving requests of personal data, DPG consistently required the from data subjects who are exercising their rights. individual making the request to prove their identity. The assessment of uncertainty regarding identity If the request was submitted through the online form, should be done on a case-by-case basis. DPG immediately prompted the requester to provide an identity document. For requests submitted via • If there is any doubt about the identity of the person email, DPG sent a corresponding email requesting the making a request, data controllers should only submission of proof of identity. DPG maintained that request necessary information, and refrain from a request for proof of identity was necessary before collecting more sensitive personal data. Asking for processing any request. copies of identification documents should only be done when strictly necessary due to the sensitive DPG claimed that, in accordance with GDPR, Article nature of the personal data contained in identity 12(6), it had the right to confirm the identity of cards. individuals involved by obtaining a copy of their identification documents before granting access to or • One way to confirm the identity of a data subject deleting their personal data. could be to look at the subscriber/customer number in combination with the name and address The decision of the Dutch DPA of the requester or by e-mail verification. The Dutch DPA imposed an administrative fine of • Data controllers are obliged to make it as easy as 525,000 EUR on DPG Media Magazines BV (DPG) for possible for data subjects to exercise their rights. hindering the right to access and erasure (GDPR, Article Therefore, data controllers should not implement 12). measures that make it harder for data subjects to request access or exercise their rights. Published: 14-01-2022, Journal number: N/A Tags: 03 Right to erasure and rectification 24

Locate Family fined for not appointing a representative Summary Our remarks Locatefamily.com is a non-EU based organization which • According to GDPR, Article 3(2), a data controller offers a platform enabling users to find the contact not established in the EU is subject to GDPR if they information of individuals they have lost contact with. offer goods or services to data subjects within the EU. The Dutch DPA received several complaints about Locatefamily.com for failing to respond to requests for • If a controller offers services through a website erasure by data subjects. Without their knowledge, the aimed at European residents, they must comply website disclosed personal data of roughly 700,000 with GDPR, Article 3(2) and appoint an EU Dutch people. representative. The decision of the Dutch DPA • The precise criteria for determining when goods or service are “offered to data subjects in the Union” The Dutch DPA found that the processing was within remains unclear. The mere fact of having a website the scope of the GDPR and decided to impose an or app that is available for data subjects in the EU administrative fine of 525,000 EUR on Locatefamily.com does not necessarily trigger GDPR, Article 3(2). for failing to appoint an EU representative (GDPR, Article 27(1) Pursuant to Article 3(2)(a)). • In the present case, the Dutch DPA probably found that Locatefamily fell under the GDPR because it disclosed information about a large number of European citizens and therefore should have foreseen that their service would be used by Europeans seeking to locate other Europeans. • Factors that support the conclusion that goods and services are offered to data subjects in the EU include: ° If the company uses marketing directed at EU citizens ° If the company has its website in European languages other than English ° If the company sell goods or services intended for European customers, such as travel services. Published: 14-01-2022, Journal number: N/A Tags: 03 Right to erasure and rectification Published: 10-12-2020, Journal number: n/a Tags: 07 Scope of the GDPR 25

Selected interesting cases – Netherlands 02

Can commercial interest be a legitimate interest? Summary VoetbalTV was a platform that streamed amateur Regarding the journalistic exception, the Court found football matches in the Netherlands. The platform used that VoeltbalTV could not use this exemption as the cameras placed around the fields to record matches. broadcasting of amateur football matches did not only The VoetbalTV platform offered the ability to watch serve a journalistic purpose. It did not have enough football clips, analyze matches, collect data, and news value for that, and the processing had the share it with others. Users could access highlights and character of unfiltered footage, rather than journalistic analytical tools created by the platform’s editorial content. team, including goals and opportunities. Regarding legitimate interest, the Court stated that To process this data, VoetbalTV relied on legitimate one cannot exclude commercial interest from being interest as per GDPR, Article 6(1)(f). a legitimate interest. Furthermore, VoetbalTV pursued the interests of involvement and fun of football fans, performing technical analysis and making it possible to The Dutch DPA decision watch matches remotely. The Dutch Data Protection Authority (AP) claimed that The District Court annulled the decision of the Dutch VoetbalTV had violated the privacy rights of individuals, DPA. The decision was appealed. as they could not base the processing on legitimate interest, and instead should have obtained consent Decision of the Council of State from all the people in the footage. The Dutch DPA fined The Data Protection Authority argued that a ”legitimate VoetbalTV 575.000 EUR. VoetbalTV then appealed the interest” is an interest that follows from the law. case to the District Court. Whereas VoetbalTV believed that a ”legitimate interest” Decision by the District Court is any interest that does not conflict with the law. Selected interesting cases – VoetbalTV argued that (1) the journalistic exception The decision of the Council of State applied and therefore the processing was not covered Netherlands by the GDPR and (2) commercial interest can be a The Council held that VoetbalTV’s interest were not legitimate interest and that they also pursued other solely commercial in nature. The DPA should have interests. taken into account the other interests that the platform presented during the case. Therefore, the appeal lodged by the DPA was unfounded and the judgement under appeal was upheld. Published: 27-07-2022, Journal number: ECLI:NL:RVS:2022:2173 Tags: 01 Legal basis and principles of processing 27

Our remarks • While it remains unclear whether a purely • When a data controller wants to rely on a legitimate commercial interest can be considered a interest, they should ask themselves the following legitimate interest, it cannot be excluded as a questions: possibility. However, it could be argued that the 1. Determine if there is a good reason for Council believed it can be. For example, the Council collecting and using the data. affirmed the District Court’s statement that the test for legitimate interest is to see whether it was 2. Decide if the data collection is actually needed. not prohibited. A purely commercial interest would pass that test. Furthermore, GDPR, recital 47, states 3. Weigh the benefits of collecting the data that processing for the purpose of direct marketing against the potential risks to people’s privacy. can be based on legitimate interest. This supports • The case was highly debated, and it led to the the notion that a purely commercial interest could European Commission sending a letter to the DPA be a legitimate interest. about their concerns regarding their interpretation of legitimate interest. VoetbalTV went bankrupt in September 2020, partly because of the ongoing proceedings. 28

Grandmother ordered to delete Facebook photos of grandchildren Summary Our remarks A mother of three underage children sued her own • It is important to note that this is a very specific and mother (the grandmother of the children). She wanted individual interpretation, under a national GDPR the grandmother to remove pictures of the children related law, and that posting pictures of children on from Facebook and Pinterest as the grandmother had Facebook is not per se excluded from falling under not obtained consent from the mother to publish the the “household exemption”. photos. • In this particular case, the Court determined The Dutch GDPR Implementation Act stipulates that the grandmother’s act of posting pictures that posting photos of minors who have not turned of the children did not qualify for the “household 16 requires the consent of the children’s legal exemption”, as it could not be established that the representative. photos would not be accessible to third parties. Thus, the posting was covered by GDPR rules. If an In the case, the grandmother argued that the posting individual has a public profile and their pictures was not under the scope of the GDPR as the posting can be found via search engines such as Google, it fell under the “household exemption” that states suggests that user’s act of posting photos is subject that the GDPR does not apply to “purely personal” or to the GDPR. “household” processing of personal data. As one of the children had lived with the grandmother for seven years, the grandmother also argued that her special relationship with this child should allow her to post a picture of the child. The decision of the Court of First Instance of Gelderland • The Court ordered the grandmother to remove the pictures of the children on her Facebook and Pinterest accounts. • The grandmother was required to pay 50 EUR for each day she failed to comply with the judgement, up to a maximum of 1,000 EUR. Published: 13-05-2020, Journal number: C/05/368427 Tags: 07 Scope of the GDPR 29

Legal basis for registration in Credit System Summary Our remarks A data subject took out a loan with Hoist Finance which • Before using Article 6(1)(c) of the GDPR, it is was registered in the Central Credit Information System essential to ensure that there is a legal obligation (CKI) of the Credit Registration Office (BKR) with a to process the personal data. This means that there special code ”A” due to payment arrears. After the debt must be a legal provision that explicitly requires the was settled, the data subject requested that the entry processing of personal data for a specific purpose. be removed from the BKR registration, but the controller did not comply. • In this case the legal provisions did not provide clarity on which personal data could be registered The District Court of Amsterdam referred preliminary in the CKI, the conditions for registration, and questions to the Dutch Supreme Court, asking whether the time limits for the deletion of data. The CKI the processing of personal data in the CKI must be regulations, which were not based on a legal assessed in accordance with GDPR, Articles 6(1)(c) and basis, governed these aspects. Personal data 6(1)(f), or both provisions, and whether the data subject was registered in the CKI through an agreement is entitled to the right to erasure and right of objection between the BKR and credit providers. under GDPR. • If the processing of data is based on GDPR, Article 6(1)(c) the data subjects do not have the right to The decision of the Dutch Supreme Court erasure. Therefore, the legal basis relied on by the • The Supreme Court ruled that the processing of controller is important in regards to data subjects’ personal data in the CKI must be examined in rights. accordance with the legitimate interest of the controller (GDPR, Article 6(1)(f)), rather than a processing necessary for complying with a legal obligation (GDPR, Article 6(1)(c)). It also stated that the data subject is entitled to the right to erasure and right of objection under the GDPR. Published: 03-12-2021 , Journal number: 21/00241 Tags: 01 Legal basis and principles of processing 30

Surgeon sued Google for linking to articles about her Summary A plastic surgeon who had been conditionally Supreme Court suspended in 2016 for a lack of patient aftercare The Supreme Court found that the Court of Appeal had requested Google to delete search results linking to already considered correctly whether processing the articles about her suspension, pursuant to GDPR, Article data was strictly necessary. Therefore, they upheld the 17. The disciplinary measure against the surgeon were Court of Appeal’s decision. published on a website under the title ‘blacklist’ due to national legislation. The decision of the Dutch Supreme Court Court decision • The Dutch Supreme Court upheld the decision After Google rejected the request, the issue was of the Court of Appeal, and thereby accepted brought before the Court which upheld the surgeons’ Googles’ initial rejection of the request for erasure. claim. The Court considered the right to privacy to outweigh the right to freedom of expression and Our remarks freedom of information as the surgeon suffered • When an individual is subjected to disciplinary unnecessary negative impact as potential patients action, their personal data does not fall under would find her on a “blacklist” if they googled her name. the category of criminal data as per Article 10 of Google argued that the surgeon was a public figure, the GDPR. As a result, it is permissible to process which talked in favor of the public interest to know personal data about disciplinary matters without about her disciplinary measures. The Court did not having to adhere to the special requirements of find this leading to the right to freedom of expression Article 10 of the GDPR. Criminal data can only be overruling the right to privacy. processed by public authorities or individuals who have a legal basis under EU or national law. Court of Appeal • If an individual is in the public eye, they should The surgeon argued that her request should be anticipate heightened levels of scrutiny as they are assessed based on GDPR, Article 10 (processing of often in positions of power, influence, or authority, personal data relating to criminal convictions), whereas and their actions can have a significant impact on Google had no legal basis to process criminal personal society. data about her. To this the Court of Appeal found that disciplinary personal data did not fall under the • The right to freedom of expression and freedom definition of criminal personal data under the GDPR. of information may outweigh the right to data protection, resulting in instances where the data The Court of Appeal found that the surgeon did not controller may decline requests for erasure. provide sufficient evidence that she was substantially hindered by the contested search results. The Court considered that the applicant is a public figure in a debate on a subject regarding her profession, and that her controversial treatments and products require easily accessible online information for patients. The Court’s decision was based on the public’s interest to access information, and that outweighed the applicant’s right to privacy in this case. Published: 03-12-2021 , Journal number: 21/00241 Tags: 01 Legal basis and principles of processing Published: 25-02-2022, Journal number: 20/02950 Tags: 03 Right to erasure and rectification 31

Formal warning to supermarket about facial recognition Summary Our remarks A Dutch supermarket received a formal warning from • As facial recognition processes biometric data, the Dutch Data Protection Authority due to the use of one needs to be able to use one of the exceptions facial recognition technology. Although the system in GDPR, Article 9(2). Pursuant to GDPR, Article was turned off in December 2019, the supermarket 9(2)(a), explicit consent can be an exception to expressed interest in turning it back on. the prohibition of processing sensitive personal data. Walking into a store cannot count as explicit The supermarket used the technology to protect consent itself, as there is no active action from the its customers and staff from potential shoplifting data subject regarding the consent. by comparing the faces of those entering the store to a database of banned individuals. The system • In the opinion of the Dutch DPA, facial recognition automatically scanned everyone who entered the can also be used for ensuring authentication or store’s face to do this. security. But there is a high threshold for when the need for it is serious enough. In their opinion, it is The decision of the Dutch DPA appropriate to use facial recognition for ensuring • The Dutch DPA issued a warning to the security at nuclear power plants, but the purpose supermarket, prohibiting the use of facial of avoiding shoplifting is not enough to justify facial recognition in the stores. recognition. • This is a bit of a strict interpretation. For example, in Denmark, it has been accepted to use facial recognition for identifying banned football fans outside football stadiums. • Nevertheless, if one wants to use facial recognition one must carefully assess the processing before taking the system into use. This can be done by doing a risk assessment, where it should be evaluated which other purposes the data collected can be used for, for example, profiling, surveillance, etc. Published: 15-12-2020, Journal number: N/A Tags: 01 Legal basis and principles of processing 32

Compensation for non-material damage Summary Our remarks A person filed multiple requests under the Freedom • According to GDPR, Article 82(1) (right to material of Information Act and data protection law, after their or non-material damage), a data subject has the personal data was shared on an online forum without right to receive compensation if they have suffered their consent. material or non-material damage as a result of a GDPR violation. The individual claimed non-material damages resulting from the loss of control over their personal • Non-material damage in GDPR encompasses harm data and delays in receiving information about the that is not monetary, including emotional distress forum messages. However, the State Council rejected or reputational harm caused by a violation of their the claim, stating that a GDPR violation does not data protection rights. automatically warrant compensation for damages, and that the individual must demonstrate real and certain • It is important to note that mere discomfort or harm, which they failed to do in this case. inconvenience resulting from a breach of the GDPR is not sufficient to warrant compensation. The The State Council’s decision damage caused must be real and certain. The data subject must prove that they have suffered actual The State Council rejected the claim for damages. and provable harm as a result of a specific breach of the GDPR. Published: 15-12-2020, Journal number: N/A Tags: 01 Legal basis and principles of processing Published: 01-04-2020, Journal number: 201902699/1/A 2 Tags: 08 Compensation for non-material damages 33

Right to access bank documents Summary Our remarks A data subject made a request to their former bank for • Under Article 15 of the GDPR, individuals have the all documents containing their personal data that had right to access their personal data, but this does been processed. not mean that they can demand full copies of all documentation containing their personal data, The data subject specifically sought information about including underlying documents and personal potential EVA registration (a Dutch fraud prevention notes made by others. system) and the bank’s security affairs department’s report. • Furthermore, a request for access may be rejected if it is deemed manifestly unfounded or excessive. However, the bank stated that it no longer had these This could be the case if the data subject submits documents due to exceeding retention periods. requests for access every other week to harass or The bank did, however, offer to conduct an internal annoy an organization. investigation. • If the organization chooses not to comply with a District Court request, it must be able to demonstrate why the The District Court rejected the data subject’s request request is unfounded or excessive, and must still but allowed the bank to conduct an investigation and respond to the individual within one month of provide a report to the data subject. The data subject receiving the request. The organization must also filed an appeal claiming that under GDPR, Article explain the reasons for not complying with the 15 they had the right to access complete copies of request and inform the individual of their right to documentation containing their personal data, and complain to the relevant supervisory authority and that the bank had conducted multiple investigations to seek a judicial remedy. into their activities. The bank argued that it no longer had the data as the retention period had lapsed. The decision of the Court of Appeal The Court of Appeal rejected the access request. Published: 27-07-2021, Journal number: 200.290.520_01 Tags: 02 Right of access and obligation to provide information 34

Does the right to access also extend to exams and comments? Summary Our remarks A student who had studied at The IHE Delft Institute for • Exams and comments from examiners can be Water Education from 2011 to 2013, and failed several regarded as personal data if it is possible to identify exams, was informed by the institute that he could no the data subjects involved. longer successfully complete the degree. The student requested access to view his exams and was told that • Data controllers cannot charge a fee for providing payment was required for copies of the exams. information requested by data subjects, unless the request is manifestly unfounded or excessive. The student then took the case to court and demanded An example of this is if the data subject requests that IHE granted access to the documents of 16 exams, access to an enormous amount of information. including the examiner’s written comments on answers to these examinations. • If the organization believes a request is excessive they may attempt to clarify the scope of the During the preliminary relief hearing, the judge informed request with the individual to see if it can be both parties that the exams requested by the applicant, narrowed down. along with the examiner’s comments on their answers, should be considered personal data under GDPR, Article 4(1). The decision of the Court The preliminary relief judge ordered that IHE must provide the student with copies of the 16 requested examinations and the examiner’s written comments within three days of the date of the decision. Published: 27-07-2021, Journal number: 200.290.520_01 Tags: 02 Right of access and obligation to provide information Published: 28-05-2019, Journal number: C/09/564550 / HARK 18-596 Tags: 02 Right of access and obligation to provide information 35

Mother’s right to rectification regarding opinion on child’s safety Summary Our remarks Veilig Thuis, a public organization responsible for • Public organizations, such as Veilig Thuis, that deal dealing with cases or suspicions of domestic violence with cases or suspicions of domestic violence or or child abuse, received reports from a school about an child abuse may process personal data and carry 11-year-old with frequent absences. Veilig Thuis sent an out tasks in the public interest and for reasons email to the child’s mother, stating that they had made of public health. Therefore, the rules governing an agreement with the obligatory education officer to the processing of personal data, such as the be notified if the child’s safety was jeopardized again or GDPR, must be considered in conjunction with the continued to be so. The mother requested that the word applicable legislation. ”again” be removed from the email and for the entire file to be erased. Veilig Thuis rejected both requests, • The right to erasure under the GDPR is not absolute, leading the mother to bring the matter to court. and the interests of the data subject must be balanced against the interests of the controller. District Court In this specific case, the Court of Appeal found that the substantial interest of Veilig Thuis in The District Court rejected the mother’s appeal, stating maintaining the data outweighed the interest of the that Veilig Thuis had a reasonable basis to judge that mother in having it erased. Therefore, it is important the child’s substantial interest required the organization to understand that the right to erasure is not always to save the data. The Court further stated that this applicable and must be balanced against the substantial interest of saving the data outweighed the interests of all the parties involved. mother’s interest in erasing it. • Additionally, the right to rectification under the Appeal Court GDPR does not extend to correcting or removing Both the mother and Veilig Thuis appealed this impressions, opinions, research results, and decision. The Court of Appeal rejected the appeal, conclusions with which the data subject does not stating that Veilig Thuis processes personal data and agree. This means that controllers may still hold carries out a task in the public interest and for reasons personal data that is accurate and reflects their of public health. Therefore, the deletion request must be assessments and opinions, even if the data subject assessed on the basis of the Dutch Social Support Act does not agree with them. 2015. • Lastly, it is essential to consider the best interests of The decision of the Court of Appeal the child when making decisions that affect them, particularly in cases involving child welfare and The Court confirmed the District Court’s decision, protection. In some cases, the interests of the child’s stating that the substantial interest of Veilig Thuis and legal representative, such as a parent or guardian, the child outweighed the mother’s interest.* may not align with the best interests of the child. Therefore, it is crucial to prioritize the welfare of the * the case is pending before the Dutch Supreme Court. child when making decisions that could impact their safety and well-being. Published: 18-01-2022, Journal number: 200.297.497_01 Tags: 03 Right to erasure and rectificatio 36

Uber, right to access and data portability Summary In 2018, a group of Uber drivers from the United Kingdom Right to data portability submitted requests to access their data to Uber. The drivers required Uber to provide the personal data The drivers were affiliated with the App Drivers & specifically in a CVS file. Couriers Union (ADCU), a trade union representing In summary, the Court had to decide on the following: the interests of private hire drivers and couriers in the • If different types of information were personal data. UK. ADCU was affiliated with the International Alliance If so, whether Uber had to grant access to this of App Transport Workers (IAATW), which sought to information establish a database to ensure the trustworthiness of data for gig workers. • Whether Uber had properly complied with the However, Uber denied to provide the full information requests for data portability about the drivers, which led them to sue Uber in the • If the processing of personal data about the drivers District Court of Amsterdam, where Uber had its carried out by Uber constituted an automated headquarters. decision within the meaning of GDPR, Article 22 Uber argued, in its defense, that the drivers were The decision of the Court of Amsterdam abusing the law within the Dutch Civil Code by Request for access (GDPR, Article 15) requesting access to the data. Uber claimed that the applicant would misuse the right to access to establish The Court of Amsterdam ordered Uber to provide a database containing data from drivers, and that the access to the drivers in accordance with the findings in database would serve as unlawful means of retaliation the case. The specific data were evaluated as follows: in the case against Uber. • Driver’s profile: Uber’s internal referrals and reports Request for access to customer service employees did not qualify as ”profiles” under GDPR, Article 4(4) and did not Overall, the drivers wanted to know how Uber used contain verifiable personal data, thus not subject to their personal data and how the company’s algorithms GDPR access requests. made decisions about their work. This included an • Tags: The Court defined a tag as a description used assessment of eight different types of data. by Uber to assess driver behavior that cannot be Automated decision verified by the data subject and, therefore, is not Based on their request for access, the drivers wanted subject to access requests. to establish that they were subjected to automated • Passenger feedback reports: The Court deemed decisions within the meaning of GDPR, Article 22, so that these as personal data but required anonymization they would be entitled to receive information about how to protect the rights of others under GDPR, Article the automated decision was made. 15(4), and Uber did not have to provide further Uber used automated data processing to allocate access to the passengers’ details based on the available rides through the “batch matching contractual relationship. system”. The system grouped the nearest drivers and • Start and end location of a trip: The Court found passengers in a batch and determined the optimal Uber’s overviews of journey times and locations match within that group between a driver and a sufficient for access requests, preventing potential passenger. privacy rights infringements. Published: 18-01-2022, Journal number: 200.297.497_01 Tags: 03 Right to erasure and rectificatio Published: 11-03-2021, Journal number: C/13/687315 / HARK 20-207 Tags: 02 Request for access and obligation to provide information 37

Our remarks • Individual ratings: Uber was ordered provide an Request for access anonymized overview of individual ratings. • A data subject does not have to provide a reason or • Driving behavior and use of phone during trips: justification for submitting an access request under The drivers’ requests were too vague, and their the GDPR. In this case, the Uber drivers did not need claim was incomprehensible due to a lack of to specify a particular interest or state the purpose information. they wished to achieve with the inspection. The • Upfront pricing system: Only one plaintiff was mere fact that personal data was being processed subjected to this new system, so the others could not was sufficient. request information about it under GDPR, Article 15. • A data controller is on the other hand entitled • Automated decision-making and profiling: to ask for specifications on the type of personal The Court agreed with Uber’s argument that the data that the data subject requests access to. company does not use automated decision- This is especially the case if the data subject has making under Article 22, even though Uber uses submitted a general request for access. automated decisions. Therefore, the Court rejected • When providing access, the data controller also has the request for further information under Article to observe the rights to privacy of others than the 15(1)(h). See also “Automated decision making” in data subject submitting the request. For example, this section. when providing access, Uber was required to • Request for additional information: As Uber anonymize the reports based on feedback from provided further information on processing passengers in order to respect the rights and purposes, categories of data, recipients of data, freedoms of the passengers. retention periods, and appropriate safeguards in its defense, the Court considered the question already Data portability resolved. • The right to data portability means that the data subject has the right to receive a copy of their Right to data portability (GDPR, Article 20) personal data from a company and transfer it to The Court ordered Uber to provide the data covered by another company in a format that can be easily the request for data portability in another format than read by machines. It is normally viewed as being PDF. However, it did not have to be a CVS file. useful for customers, for example, if they want to change bank or telephone operator, but the case Automated decision-making (GDPR, Article 22) shows that it also can be relevant in employment The Court found that their anti-fraud process did not based relationships. constitute automated decision-making as there was • If there are no specific common formats within a human intervention. certain industry, then there is no obligation for the The automatic decision that happened in the ”batch data controller to provide the data in a certain matching system” was an automated decision, but type of file, as long as they provide the data in any did not impose on the drivers any legal consequences commonly used public formats like XML, JSON, CSV. or significant effect. Therefore, it was not covered by • Providing personal data in PDF-files is not a way GPDR, Article 22(2) and Uber did not have to provide the of complying with the right to data portability as information mentioned in 15(1)(h). the personal data in such a file is not structured or descriptive enough for the reuse of the data. 38

Automated decision-making • It is important for data subjects to know if they have • If an automated decision has no legal been subject to automated decision-making under consequence, it should be assessed if it has a GDPR, Article 22, because such decisions can have “similarly significant” effect. Even though the significant legal or other effects on individuals. “batched matching system” did have a certain Data subjects have the right to be informed about effect on the performance of the agreement the logic involved in any automated decision- between Uber and the driver, meaning the making process, as well as the significance and possibility of the driver to earn money, it was found consequences of such processing. Furthermore, that the batch making system did not have a they have the right not to be subject to a solely “similarly significant” effect on the data subject. automated decision. • This must be viewed as an edge case, and maybe • If there is any kind of human interference within a it was ruled like this as the automated process process, the processing will never be an automated was about the drivers in groups, and therefore the decision within the meaning of GDPR, Article 22. automated process was not deemed so intrusive for the rights of the driver as an individual. 39

Largest fines - Germany 03

H&M fined for insufficient legal basis for processing sensitive personal data Summary Our remarks Several hundred employees of an H&M Service Center • If a data controller wants to record employee data, in Nuremberg had since 2014 been subject to extensive they should ensure that they have an appropriate recording of information regarding their private lives, legal basis. This could, for example, be the including symptoms of illness, diagnoses, romantic performance of a contract between the employer relationships and religious beliefs. and employee, or compliance with a legal obligation. If data processing is not covered by The data was collected through a ‘Welcome Back Talk’ these grounds, another legal basis, such as consent for all employees returning from vacation or illness, and or legitimate interests, must be established. through office gossip. The data was permanently stored on a local network, which was accessible by up to 50 • When collecting personal data about employees managers of the company. it is important to limit any processing of special categories of personal data to a minimum. The The data was, in some cases, continuously updated data controller should ensure that they fulfill one of and used to evaluate the performance of the workers the requirements in GDPR, Article 9(2). Recording and ultimately in employment decisions. personal data about employees’ diagnoses or The affected individuals were unaware of the systemic romantic relationships qualifies as processing of recording of their personal data until it was discovered special categories of personal data. due to a technical error in October 2019. The technical • When processing and storing data concerning error made the information available company- employees, it is essential to adhere to the principles wide for hours. As a result of the incident, protective of data minimization and storage limitation, measures were introduced, and the company explicitly as well as the principles of lawfulness, fairness apologized to the affected employees. The DPA and transparency. Before processing employee suggested offering monetary compensation which was data, the employer should consider which data accepted and actioned by H&M. is necessary for the legitimate purpose of the processing, or for the fulfillment or performance of The decision of The Hamburg Commissioner a contract to which the employer is a party. This for Data Protection and Freedom of can for example be ensured by having internal Information guidelines for the collection of personal data, The DPA fined H&M 35,300,000 EUR for the following erasure policies and so forth. violations: • The Hamburg Commissioner did not specifically • Not having a legal basis for the recording of special mention compensation under GDPR, Article 82. categories of personal data H&M’s voluntary remedial actions in response demonstrate a growing awareness of corporate • Not adhering to the principles of data minimization responsibility regarding employee privacy. Similarly, and storage limitation the size of the fine highlights the employer’s Additionally, the DPA suggested remedial actions extensive responsibility in ensuring employee towards the affected employees. privacy. Published: 01-10-2020 Journal number: N/A Tags: 01 Legal basis and principles of processing, 03 Right to erasure and rectification 41

Notebooksbilliger.de fined for lack of legal basis for video surveillance Summary Our remarks For at least two years, the company Notebooksbilliger. • When an employer considers video monitoring of de monitored both customers and employees in a the workplace, they should consider what legal range of areas, including sales, warehouses, and basis the data processing should rely on: common spaces. The company claimed that the ° The inherent power imbalance between employers purpose of the monitoring was to prevent and resolve and employees means that consent is unlikely to be criminal activities such as theft, as well as tracking the freely given. Therefore, employers should avoid using flow of goods in the warehouses. consent as a legal basis for processing personal data The monitoring was not limited to a specific timeframe about employees. or to specific conditions. In many cases, the records ° Instead, legitimate interests would likely be a more were stored for 60 days. Additionally, the Lower Saxony appropriate legal basis for video surveillance of DPA (LfD Lower Saxony) noted that the monitoring was employees. If the legitimate interest is to prove a not based on suspicion towards specific individuals. criminal act, there must be a well-documented The DPA also found that some cameras were positioned reasonable suspicion against specific persons (e.g., to observe seating areas in the salesroom. Since recent criminal offence). General suspicion is not seating areas typically encourage customers to get enough. comfortable and stay for extended periods, such as ° If you are considering monitoring workplace areas when testing devices on offer, it could also potentially that are accessible to customers, a separate result in the observation and analysis of a person’s legitimate interest must apply. If the legitimate entire behavior. interest is to prove a criminal act by visitors or customers, there must be a real and current threat, The decision of the State Commissioner for such as a recent act of vandalism of neighboring Data Protection Lower Saxony shop or statistical proof of heightened crime risk in The DPA imposed a fine of 10,400,000 EUR to the area. Notebooksbilliger.de AG for the following violations: ° Such practices, both regarding employees and • Monitoring their employees and customers without customers, should be reviewed at regular intervals to sufficient legal basis for doing so (GDPR, Article ensure the continuous necessity and proportionality 6(1)). of the processing. • Not adhering to the principles of data minimization, storage limitation and proportionality. Additionally, the DPA suggested remedial actions towards the affected employees. Published: 08-01-2021, Journal number: n/a Tags: 01 Legal basis and principles of processing 42

• Video surveillance is considered a particularly • Finally, employers must consider the principle of intrusive form of data processing, as it potentially data minimization by storing personal data for the allows for observance and analysis of a person’s minimum amount of time necessary and with a entire behavior. Therefore, the employer should specified retention period. In the case in question, carefully ensure to respect the principles of fairness, the DPA stated that 60 days was significantly longer transparency and proportionality. than necessary. ° When balancing the interests in question, the • For further reading on processing personal data employer must ensure that the data processing of employees, see A29WP Opinion 2/2017 on data is necessary and proportionate to the concerns processing at work or EDPB guidelines 3/2019 on raised. If a less intrusive method can achieve the processing of personal data by video devices. same goal, the less intrusive method must be used. Consider other methods of risk mitigation than video surveillance (e.g., random bag checks). Published: 08-01-2021, Journal number: n/a Tags: 01 Legal basis and principles of processing 43

1&1 Telecom GmBH fined for insufficient security measures Summary Our remarks The federal DPA of Germany (BfDI) discovered that 1&1 To prevent data breaches, it is important to implement Telecom’s authentication practice allowed any caller appropriate organizational and technical measures. who claimed to be a family member of a customer, and In the case at hand, a personal ‘Service Pin’ was who could provide the customer’s date of birth, to gain introduced to provide an extra layer of security, that access to a range of personal data. Additionally, callers was sufficient for customer authentication. were able to change the customer’s personal data, • The data controller should assess the such as bank details. appropriateness of a safety measure by As a result of this practice, an individual gained access considering the state of the art and the costs of to their previous partners’ new telephone number. implementation, balanced against the risk and The person whose number was compromised had severity of potential impacts on the rights and deliberately changed his phone number to avoid freedoms of the individuals whose data is being contact from their ex-partner. After notifying the police, processed (GDPR, Article 32). the DPA was informed of the breach. • When assessing the risks to the data subject’s The authentication practice was not assessed for rights and freedoms, consider the possible negative compliance with GDPR. consequences of a data breach, including unlawful access, alteration, or deletion of personal data. The decision of The Hamburg Commissioner Special categories of personal data, such as for Data Protection and Freedom of ethnicity or political beliefs, generally imply a higher Information risk than ordinary personal data, such as customer The DPA initially ruled that the authentication procedure number or e-mail address. However, some cases violated the obligation to take appropriate technical might infer high risks even to ordinary personal and organizational measures to systemically protect data, depending on the type and severity of the the processing of personal data (GDPR, Article 32). breach in conjunction with the type and context of the data processed. The District Court of LG Bonn reduced the fine from • Taking effective actions to mitigate the damage of 9,550,000 EUR to 900,000 EUR for the following reasons: a breach will possibly affect the fine size positively. • The District Court of LG Bonn upheld the DPA’s • Notify the appropriate DPA about the nature of the decision that the calculation model, which breach, and if possible, the categories and amount considers turnover as an essential factor in of personal data and number of data subjects determining the appropriate level of penalties, is concerned. This notification should be done without appropriate for medium data protection violations undue delay. under the GDPR. If the data breach is likely to result in a high risk to • However, when it comes to a minor GDPR violation the rights and freedoms of natural persons, the data by companies with large turnovers (at group subjects should be notified about the breach without level or otherwise), the model would lead to undue delay. Effective cooperation with supervisory disproportionately high fines, whilst conversely authorities may also have a positive impact on the size resulting in disproportionately low fines for severe of the fine. GDPR violations by companies with low turnovers. The District Court states that the strong focus on annual turnover is problematic, especially in cases where the data breach was minor. Journal number: 29 OWi 1/20 Published: 11-11-2020 Tags: 05 Data Security 44

Journal number: 29 OWi 1/20 Published: 11-11-2020 Tags: 05 Data Security

Brebau GmbH fined for for lack of legal basis and transparency Summary Our remarks The housing and residential association Brebau GmbH The processing of special categories of personal data processed sensitive data of over 9500 potential tenants. such as skin color, ethnic origin, etc. is not necessary In more than half of the cases, the data collected for fulfilling rental agreements and therefore, such included information about skin color, ethnic origin, processing is considered unlawful. Assessing which religious beliefs, sexual orientation, health status of the personal data categories are necessary for processing data subjects and even physical appearance such as ensures compliance with GDPR regulations. As a data hairstyle and body odor. controller, it is essential to implement efficient and accessible transparency practices to uphold the data In multiple cases, Brebau GmbH prevented data subjects’ right to access. The data subject must upon subjects from accessing their personal data and request be able to access information on (see GDPR, obtaining insight into how their data was processed. Article 15 for an exhaustive list): The Decision of the State Commissioner for • The purposes of the processing, Data Protection Bremen • The categories of personal data concerned, The DPA fined Brebau GmbH 1,900,000 EUR for the • Third party recipients or categories of recipients of violation, stating that the extraordinarily severe nature personal data, of the violation allowed for an even higher fine than the one imposed. Brebau was fined for the following • The existence of the right to rectification and the violations: right to erasure, and the right to complaint with a • Processing categories of personal data that were DPA. not necessary for the fulfillment of the contract. • Not complying with the right to access (GDPR, Article 15) and principle of transparency (GDPR, Article 5(1)(a)) However, as Brebau GmbH cooperated willingly by mitigating the damage, clarifying the facts and ensuring that no such violations would be repeated, the DPA reduced the amount of the fine. Published: 03-03-2022 Journal number: n/a 46 Tags: 01 Legal Basis and principles of processing, 02 right to access and obligation to provide information

AOK Baden-Württemberg fined for failing to security of processing Summary Our remarks The health insurance company AOK Baden- • Ensure that internal data protection guidelines Württemberg hosted competitions on various and training include the principle of integrity and occasions between 2015 and 2019, where personal data confidentiality, as well as the legal requirements as such as contact information and health insurance stated in GDPR, Article 32. affiliation was collected. AOK wanted to use this information for advertising purposes if the participants • When doing so, assess the level of risk to the data had consented accordingly. subjects’ rights and freedoms in the processing For this purpose, AOK implemented various technical of personal data to ensure a level of security and organizational measures including internal appropriate to this risk. guidelines and data protection training to ensure that • Appropriate measures to ensure security of only those who had given their valid consent to the processing personal data include, but are not processing received advertisement material. However, limited to (see GDPR, Article 32 for exhaustive list): the measures taken were not sufficient, resulting ° Pseudonymization and encryption of personal data. in over 500 raffle participants’ personal data being used for advertising purposes. No insurance data was ° Ensuring ongoing confidentiality, integrity and concerned. resilience of processing systems. As soon as the allegations came to light, AOK ° The ability to restore availability and access in a immediately discontinued all sales activities. timely manner in case of incidents. The Decision of the DPA ° A process of testing, assessing and evaluating the effectiveness of these technical and organizational The DPA (LfDI) fined AOK Baden-Wuerttemberg measures. 1,200,000 EUR for not meeting the requirements for technical and organizational measures to ensure secure data processing (GDPR, Article 32). During the investigation, AOK conducted comprehensive internal reviews and adjusted their technical and organizational measures. Their cooperation with the DPA also resulted in a reduction in the amount of the fine. Published: 03-03-2022 Journal number: n/a Published: 30-06-20 Journal number: N/A Tags: 05 Data Security 47 Tags: 01 Legal Basis and principles of processing, 02 right to access and obligation to provide information

Volkswagen fined for not providing data subjects sufficient information about the data processing Summary The Decision of the State Commissioner for The police stopped a vehicle for a traffic check near Data Protection (LfD) Lower Saxony Salzburg (Austria), as the police officers noticed The DPA imposed a fine of 1,1 mio EUR for the following unusual attachments to the vehicle that turned out violations: to be cameras. The vehicle was part of a research program that tested and trained a driver assistance • Not providing the other road users sufficient system in order to further avoid traffic accidents. information about the processing (GDPR, Article 13). Among other things, the vehicle recorded the • Not concluding a data processing agreement with surrounding traffic for error analysis. The research the company that carried out the testing (GDPR, trip was carried out by a service provider on behalf Article 28). of Volkswagen. Due to an accident, the vehicle was missing magnetic signs that were meant to inform • Not maintaining a record of processing activities other road users about the recording. (GDPR, Article 30). Even though the data processing took place in Austria, • Not carrying out a data protection impact The State Commissioner for Data Protection (LfD) assessment (GDPR, Article 35). in Lower Saxony handled the case as Volkswagen, All four violations were ‘low severity’. Additionally, the the controller of the processing of personal data, is DPA took into account that the processing served to primarily situated in Germany. optimize the driving assistant system, thus improving road safety. Published: 26-07-22 Journal number: N/A 48

Our remarks • When collecting data from the data subject • When processing is likely to result in a high risk through capturing video, make sure to properly to the rights and freedoms of the data subjects, inform the data subject of the nature and purpose performing a data protection impact assessment of the processing as well as their rights. This ensures (DPIA) is required. While the case in question does fair and transparent processing. In the case in not specify why the data processing was ‘likely to question, a sign on the car containing a camera result in a high risk to the rights and freedoms of symbol as well as the mandatory information is natural persons’, the use of new technologies (e.g., likely to be adequate. the use of new technologies in innovative ways or the use of new technologies in combination) ° Note: This practice differs from Danish DPA decisions, is generally an indicator that a DPIA would be in which personal data collected through video necessary. A DPIA should at least contain: surveillance is regulated through GDPR, Article 14, thereby allowing for the exemption from the ° A description of the envisaged processing operations obligation to inform the data subject, if doing so including purposes and, where applicable, legitimate proves impossible or involves a disproportionate interests, effort. This would likely be the case when the data ° An assessment of the necessity and proportionality, subjects are road users. • Any processing of personal data carried out on ° An assessment of the risks of the rights and freedoms the behalf of a controller must rely on a data of data subjects, processing agreement. The processor must prove ° The measures envisaged to address these risks. appropriate technical and organizational measures to ensure compliance with the GDPR, and the • Seek advice with your designated Data Protection data processing agreement must be clear and Authority when performing a DPIA. comprehensive. • Make sure to keep record of all processing activities containing the purpose of the processing, a description of categories of personal data, the categories of third-party disclosures, third country transfers, envisaged time limits for erasure and, where possible, a general description of technical and organizational security measures. Published: 26-07-22 Journal number: N/A 49

Bank fined for creating costumer profiles without a legal basis Summary A commercial bank*, acting as the controller, used • The use of third-party data enrichment, such as personal data of both current and former customers to data from a commercial credit reporting agency identify those with a preference for digital media usage. to create precise profiles, weighs heavily in favor The customer profiles were created to target them with of the rights and freedoms of the data subject in a intense electronic communications for commercial balancing of interests. Thus, consent should have purposes, in the form of advertisements. been obtained. To carry out this analysis, a service provider was hired Note: The DPA press release states that the decision to analyze digital usage behavior including app-store is not final. However, as no appeal was made within purchases, frequency of bank statement printers’ the two-week appeal period, the decision is now usage, and online banking transfers. This data was considered final. compared to offline usage at local branch offices and further enriched with data from a commercial Our remarks credit reporting agency. Although most customers were notified in advance, the controller did not obtain • When basing the data processing on a legitimate consent from the data subjects. interest such as direct marketing, perform a balancing test to weigh the legitimate interest of The bank relied on legitimate interests, in the form of the data processing against the fundamental rights direct marketing, as the basis for the processing of and freedoms of the data subjects. data, analysis, and creation of customer profiles. *Possibly Hannoversche Volksbank. This is not ° While it might not be obvious what the specific confirmed by the DPA. interests of the data subject are, it’s crucial to consider their reasonable expectations. Do these The Decision of the DPA reasonable expectations align with your legitimate interests? In the case in question, third-party The LfD Lower Saxony fined the bank 900,000 EUR for the enrichments to create precise profiles and the use following violations: of large databases for advertisement purposes both • The bank’s analysis of large amounts of data to exceeded what could be considered reasonable create customer profiles could not be based on expectations. legitimate interests as it did not properly balance its interests with the fundamental rights and freedoms • Ensure that any third-party data enrichment is of the data subject (GDPR, Article 6(1)(f)). based on a legal basis. In the case in question, consent should have been obtained. As third- • The data subject could not reasonably expect their party enrichments allow for collection of data from personal data to be analyzed on such a large scale different areas of life, potentially creating very for targeted advertising. The bank could not invoke precise profiles, it’s important to carefully consider a weighing of interests and should have obtained the implications of the data processing and choose consent for the processing. a legal basis accordingly. Also keep in mind the principles of data minimization and transparency. Published: 28-07-2022 Journal number: N/A Tags: 01 Legal basis and principles of processing 50 Published: 24-09-2021 Journal number: N/A Tags: 02 Right to access and obligation to provide information.

Vatenfall Europe Sales GmbH fined for not fulfilling transparency obligations Summary Our remarks Vattenfall Europe Sales GmbH offered its customers • When processing personal data, make sure to especially beneficial contracts that involved a payout inform your data subjects of their rights under the to customers. To avoid making these deals unprofitable, GDPR, including: the company conducted routine reviews of contract ° The right to be informed, inquiries for ”behavior conspicuous for switching”. To do so, Vattenfall utilized invoices from around 500,000 ° The right to access, previous customers, effectively cross-referencing this information with the data obtained from the inquiries. ° The right to rectification and erasure, However, the company did not inform new or existing ° The right to restriction of processing, customers about this data reconciliation process or its purpose. ° The right to data portability, The company cooperated extensively with the DPA ° The right to object, throughout the investigation process. ° The right to not be subject to automated decision- The Decision of the DPA making, including profiling. The DPA’s investigation focused solely on the matter of • In accordance with the right to be informed, data information obligations and did not assess whether the controllers should inform the data subject about data reconciliation itself was permissible. the data processing itself, including: The DPA fined Vattenfall Europe 900,000 EUR for the ° The identity and contact details of the data controller following violations: and the DPO (if applicable), • Not providing data subjects information about ° The purpose of the processing and the legal basis for their rights as data subjects in relation to the data the processing, processing (GDPR, Article 12). ° The categories of data being processed, as well as the purposes of the processing, • Not providing data subjects with information about the nature of the processing of their personal data ° The recipients or categories of recipients who will or the purpose of the processing (GDPR, Article 13). have access to the personal data, The fine was significantly reduced due to Vattenfall’s ° Where processing is based on consent, the right to extensive and immediate cooperation with the DPA. withdraw the consent. • When the data is collected from the data subject, the data subject should, when possible, be informed at the time of the collection. Published: 28-07-2022 Journal number: N/A Tags: 01 Legal basis and principles of processingPublished: 24-09-2021 Journal number: N/A Tags: 02 Right to access and obligation to provide information. 51

Berlin e-commerce group fined for DPO conflict of interest Summary The Decision of the DPA* A Berlin-based e-commerce retail group appointed The BlnBDI (DPA) fined the e-commerce retail group a Data Protection Officer (DPO) who also served as 525,000 EUR for the following violation: the managing director of two service companies • Failing to ensure that the tasks assigned to the DPO that processed data on behalf of the controller. The did not result in a conflict of interest (GDPR, Article two service companies were part of the same group 37(6)). and were responsible for customer service and order fulfillment. When imposing the fine, the DPA considered the As part of their legal obligations, the DPO was controller’s high turnover in the previous financial responsible for ensuring compliance with data year, the DPO’s role as the point of contact for both protection laws by the service companies and making employees and customers, and the controller’s managerial decisions within them. deliberate continuation of the violation despite warnings. However, the controller cooperated fully with In 2021, the German DPA issued a warning to the the DPA and stopped the violation during the ongoing controller for violating data protection laws. Despite a fine proceedings, resulting in a reduced overall fine. subsequent inspection, it was found that the violation persisted. *The decision is not yet final. Published: 20-09-2022 Journal number: N/A Tags: 01 Legal basis and principles of processing 52

Our remarks ° The tasks and duties of the DPO should be regularly • The independence of the DPO is critical in ensuring reviewed to ensure they remain independent and compliance. Monitoring one’s own decisions is not in conflict with other responsibilities within the incompatible with the role of a DPO, who must act organization. independently of the controller or processor. To ° Data controllers should establish a reporting avoid risking a conflict of interest when appointing mechanism that allows employees to report any or instructing a Data Protection Officer, and to concerns about the DPO’s independence or conflicts generally ensure a compliant DPO practice, of interest. consider the following: ° The DPO cannot be responsible for the processing ° The DPO should have direct access to the highest activities of the data controller or processor, as this management level and should not receive any would not fulfill the requirement for independence. instructions regarding the exercise of their tasks. Therefore, a DPO typically cannot hold the position ° The controller should ensure that the DPO is properly of the top IT or HR executive in an organization. involved and informed in a timely manner about all Instead, an employee who does not have ultimate issues which relate to the protection of personal data. responsibility for these areas may be appointed as DPO. ° The DPO should be provided with adequate resources to enable them to perform their tasks effectively and ° Although a DPO may fulfill other tasks and duties independently. beyond those of the DPO role, the controller must ensure that these additional tasks do not lead to a conflict of interest for the DPO. Published: 20-09-2022 Journal number: N/A Tags: 01 Legal basis and principles of processing 53

VfB Stuttgart fined for neglecting the accountability principle Summary Our remarks Between 2016 and 2017, VfB Stuttgart 1893 e.V., a • Compliance with the GDPR’s accountability registered association under German law, transferred principle is important to keep in mind when tens of thousands of personal data records belonging processing personal data. You must be able to to club members to an external service provider. The provide evidence of compliance upon request by purpose of this transfer was to enable the spin-off the relevant supervisory authority. Make sure that of the professional soccer department into a stock you can provide the Data Protection Authority with corporation named ”VfB Stuttgart 1893 AG”. The data the following: included information on underage members who would ° Detailed and up-to-date documentation of your have turned 18 at the time of a general meeting where data processing activities, including the legal the spin-off decision was made. basis for processing, the purposes of processing, Furthermore, after the GDPR came into effect, the the categories of data subjects and personal soccer club shared an Excel spreadsheet containing data processed, the recipients of personal data, over 100,000 data records with the service provider. the retention period, and the security measures employed. VfB Stuttgart did not provide a contractual basis for their partnership with the service provider. They had not ° Appropriate policies, procedures, and where documented who initially commissioned the service applicable, codes of conduct to demonstrate provider, the specific powers it held within VfB Stuttgart, compliance with the GDPR’s principles, including data or the extent of its access to the personal data of minimization, accuracy, integrity, and confidentiality. members and employees. This may involve conducting regular data protection impact assessments, reviewing and updating The Decision of the DPA data processing agreements with third-party service providers, and ensuring that employees are The LfDI (DPA) limited the proceedings to a violation adequately trained on GDPR compliance. of the principle of accountability and provisionally terminated any further proceedings concerning ° Documentation of which appropriate technical and potential other violations of the GDPR. The DPA fined VfB organizational measures to ensure the security of Stuttgart 1893 300,000 EUR for the following violation: personal data and prevent unauthorized access or disclosure. This includes maintaining confidentiality • Lack of a contractual relationship with the external and integrity of data, providing regular training to service provider and its authority within the staff members, and conducting regular audits of club. Consequently, the legitimacy of the data data protection processes. processing activities could not be adequately verified or proven, which was a breach of the principle of accountability (GDPR, Article 5(2)). Published: 10-03-2021 Journal number: 0623.1-2/3 Tags: 01 Legal Basis and principles of data processing, 54 04 Data processing agreements and supervision of data processors and sub-processors.

Selected interesting cases – Germany 04 Published: 10-03-2021 Journal number: 0623.1-2/3 Tags: 01 Legal Basis and principles of data processing, 04 Data processing agreements and supervision of data processors and sub-processors.

Scalable Capital ordered to compensate data subject for non-material damages Summary Our remarks Upon registration as a customer at Scalable Capital, • The case signifies that the German Court applies a individuals provided a range of personal data that broad interpretation of the right to compensation was later compromised in a data breach. Attackers for non-material damages. A data controller could were able to gain access to Scalable Capital’s entire be held liable for such damages that might result IT system by acquiring access information from the from a data breach within its responsibility. firm’s former IT service provider, CodeShip Inc. As • When doing a risk assessment, take into account a result, the attackers gained access to a range of the nature and severity of a possible infringement. personal data, including the data subjects’ first and last name, title, address, email address, mobile phone • In this case, even though there was no evidence number, nationality, marital status, tax residence of existing fraud or misuse of the personal data, and tax ID, IBAN, copy of identity card, and portrait the personal data involved in the breach was so photo. These third parties accessed the data on three comprehensive that the risk for future material separate occasions between April and October 2020, damage was taken into account. stealing a total of 389,000 records from 33,200 affected • To avoid being held liable for inflicting non-material individuals. damages or the risk of future material damages as Although CodeShip Inc. had ceased providing IT a result of a data breach, it is important to ensure services to Scalable Capital in late 2015, the access adequacy of technical and organizational security data to Scalable Capital’s system had never been measures: changed. The stolen personal data was subsequently used to obtain loans and was also offered for sale on ° Make sure that only current third-party business the dark web. relations have access to your systems. Conduct regular security assessments and penetration The Decision of the Court of LG Bonn testing to identify vulnerabilities in your system and The Court of LG Bonn ordered the controller to organization (including partners) and implement pay 2,500 EUR to the data subject for the following adequate measures to address them. violations: ° Monitor access to personal data, limit it to authorized • The controller failed to implement organizational personnel (internally as well as regarding third measures to ensure an appropriate level of data parties), and revoke access for those who no longer protection by not excluding CodeShip from access require access. to their digital document archives immediately after the termination of their business relationship (GPDR, Articles 31(1) and 5(1)(f)). • The Court found that the data breach had caused non-material damage to the affected individuals, such as feelings of uncertainty, loss of trust, and anxiety about potential misuse of their personal data. Therefore, the Court ordered compensation for non-material damage (GDPR, Article 82(1)). Published: 09-12-2021 Journal number: 31 O 16606/20 Tags: 05 Data Security, 08 Compensation for non-material damages 56

Company ordered to cover repair costs for customer Summary • Depending on the outcome of this assessment, A German company used Mailchimp as a newsletter the data exporter and the data importer may tool. A data subject claimed that transferring email be required to implement and prove adequate addresses of the company’s newsletter subscribers to supplementary measures in order to safeguard the Mailchimp, which is a US-based company, constituted data. an unlawful third-country transfer pursuant to the GPPR. • For this purpose, if the data importer does not require ‘data in the clear’, you can implement The Decision of the Bavarian State Office for effective encryption as a supplementary measure. Data Protection Supervision (BayLDA) (See ComplyCloud Transfer Roadmap for an exhaustive overview) As the company informed the DPA that it had used Mailchimp only twice and confirmed that it would stop ° Data must be subject to transfer encryption prior to using the service with immediate effect, and as the final transfer on the ‘data layer’. EDPB guidelines on the supplementary measures for ° The encryption must be ‘state-of-the-art’. transfers of personal data to third countries were not yet finalized, the DPA did not impose a fine or take any ° The encryption keys must be reliably managed (must other enforcement actions. be kept under the sole control of trusted parties Our remarks in the EEA or a country which offers an essentially equivalent protection). • When using services that require transfers to third ° ‘Backdoors’ must be excluded. countries, first see if the country in question has received an adequacy decision from the European • If the importer needs the data in the clear, you Commission. Data transfer to these countries must demonstrate and document that you have is expressly permitted. The countries that have no reason to believe that relevant and problematic received adequacy decisions are: legislation will be applied in practice. ° Andorra, Argentina, Canada (only commercial ° To rely on a ‘no reason to believe’-assessment, organizations), Faroe Islands, Guernsey, Israel, Isle you must be able to demonstrate and document of Man, Jersey, New Zealand, Switzerland, Uruguay, that the law is not interpreted and/or applied in Japan, the United Kingdom and South Korea. practice to cover your transferred data and importer • When transferring data to unsecure third countries, (for a list of possible sources of information, see conduct a Transfer Impact Assessment (TIA) to EDPB recommendations 01/2020 on measures that assess the adequacy of the data protection level supplement transfer tools to ensure compliance of the data importer to ensure EU level protection with the EU level of protection of personal data of personal data. Data controllers must take paragraphs 44-47). the wording of the SCCs (Standard Contractual • At appropriate intervals, evaluate the level of Clauses) and the legal system of the third country protection afforded to the personal data you into account, in particular with regards to access to transfer to third countries and monitor if there have the transferred data by public authorities (such as been or there will be any legal developments that intelligence services) in the third country. may affect it. Published: 15-3-2021 Journal number: LDA-1085.1-12159/20-IDV Tags: 06 Transfers to third countries 57

• To ensure compliant third country transfers, and to further your understanding of the European data transfer regime after Schrems II, see the ComplyCloud Transfer Roadmap whitepaper on our webpage under ‘academy’ -> ‘downloads’-> Transfer Roadmap. Please note that this decision was made prior to the EU Commission’s adoption of the EU-U.S. Data Privacy Framework. The framework solves the challenges of the SCHREMS II case and thereby ensures that entities in the EU can transfer personal data to entities in the US that comply with the framework without conducting a TIA. However, general considerations concerning the transfer of personal data to other unsafe third countries still apply. 58

Insurance company ordered to cover the cost of repairs for a customer Summary A customer of a health insurance company • The Court concluded that the data subject has a experienced an increase in his premiums. Subsequently, legitimate interest in using GDPR, Article 15(3) to after paying the premium for a period, he requested reduce an asymmetric level of information between a refund, as well as access to all supplementary themselves and the controller to protect their rights. documents related to the insurance policy and Moreover, the Court noted that the right to access notification letters sent to him during the contractual must not depend on an unverifiable assertion relationship. about the inner motivation of a data subject. The Regional Court of Aachen ruled in favor of the data Our remarks subject in the initial hearing. However, the controller • The right to access is independent of the right (the insurance company) appealed the decision, to a copy of the data and should be construed arguing that GDPR, Article 15 only requires transparency extensively to provide individuals with a complete of processed data and does not grant access to picture of how their data is being used. documents. The controller further contended that granting access to such a wide range of documents • Controllers cannot reject a request for access would be an impermissible discovery of evidence, unless it is excessive or unfounded and must contrary to the principle of civil procedural law. Lastly, provide access to any supplementary information the controller claimed that the data subject’s request related to the data. Be aware that the burden of was excessive under GDPR, Article 12(5) as it was meant proof that a request is excessive lies with you as the to verify the validity of premium increases, not the controller. lawfulness of the processing. • Data controllers must not restrict or limit the right The Decision of the Higher Regional Court of to access based on the motivation or purpose of Köln (OLG Köln) the request and must consider the overall purpose of the GDPR to protect the rights and freedoms of OLG Köln rejected the controller’s arguments, ordering individuals in relation to their personal data. them to pay and cover the cost of repairs to the data subject (~2000 EUR) as well as providing access to the ° Be aware, however, that even though this case is documents in question with the following holdings: conclusive and persuasive, it differs from other cases. For example, the Danish DPA has, in a similar case, • The Court found that the right to a copy is ruled that a father could not gain access to the data independent from the right to access and gives the processed about his daughter at a sports club, since data subject a right to a copy of the data in its raw his motivation was not to secure the lawfulness of the form (GDPR, Articles 15(1) and 15(3)). data processing, but to gain access to his daughters • The Court rejected the controller’s arguments that dancing class schedule. Link to article. the request was excessive under German Civil Code or GDPR, Article 12(5). It reasoned that the overall purpose of the GDPR is to protect all rights and freedoms of the individual against harm and risks arising from the processing of personal data, not just those enshrined in data protection law. Published: 13-0-2022 Journal number: 20 U 295/21 Tags: 02 Right of access and obligation to provide information 60

Data subject awarded reparation after unlawful transfer of IP addresses Summary Our remarks The controller, an unnamed German company, • The transfer of personal data, including IP incorporated Google Fonts into their website, resulting addresses to third-party services such as Google in the automatic transmission of the data subject’s Fonts should only be done with the explicit and dynamic IP address to Google’s servers located in the informed consent of the data subject. United States. ° Don’t forget to conduct a TIA (See Mailchimp case The Decision of LG Munich and our Transfer Roadmap whitepaper). LG Munich awarded the data subject 100 EUR in • Controllers should take into consideration the reparations, as it found the data controller in breach of broad interpretation of the term ”damages” in the following violations: GDPR, Article 82(1), which aims to sanction data protection violations and prevent future ones. • The Court found that a dynamic IP address was to be considered as personal data as the controller • The risk of repetition is factually presumed when had an abstract opportunity to identify the data a violation of rights has been established, and subject (GDPR, Article 4(1)). controllers should take active measures to prevent further violations from occurring. • The Court found the transfer of the IP address to Google without the consent of the data subject to Please note that this decision was made prior to the be unlawful (GDPR, Article 6(1)(a)). EU Commission’s adoption of the EU-U.S. Data Privacy Framework. The framework solves the challenges of the • The Court also held that the infringement is not SCHREMS II case and thereby ensures that entities in justified as necessary for the purpose of the the EU can transfer personal data to entities in the US legitimate interests pursued by the controller, that comply with the framework without conducting a since Google Fonts could be used without having a TIA. However, general considerations concerning the connection to Google’s servers (GDPR, Article 6(1)(f). transfer of personal data to other unsafe third countries • The Court held that the term ‘damages’ in GDPR, still apply. Article 82(1) is to be understood broadly, including to prevent future violations in cases of risk of repetition. Published: 20-05-2023 Journal number: 3 O 17493/20 Tags: 06 Transfers to third countries 61

Data subject awarded damages for unauthorized criminal background check Summary Our remarks The data subject sought membership in an association, • Personal liability can apply to managing directors. and the association’s managing director instructed a The case shows that managing directors can be background check to be carried out on the individual. held personally liable for breaches of GDPR if they The investigation uncovered information on the are found to have acted intentionally or negligently individual’s past criminal convictions, which was in violation of the GDPR. then relayed to the association’s executive board. Subsequently, the association rejected the individual’s • Personal data relating to criminal convictions membership application. The data subject argued that must be processed under official supervision. the controller had breached GDPR, Article 10, since the Collection must happen under official supervision, processing of their personal data related to criminal as required by GDPR, Article 10. This supervision may convictions did not occur under official supervision. be provided by a public authority or by a person or Consequently, they demanded compensation for pain body authorized by EU or Member State law. and suffering. The Decision of the Higher Regional Court of Dresden The Higher Regional Court upheld the decision of the Regional Court of Dresden, awarding the data subject damages in the amount of 5,000 EUR for the following violations: • The processing was deemed unnecessary because the controller could have used less intrusive alternatives like self-disclosure or police clearance certificates. • In terms of liability, the Court found that the managing director was to be considered a controller alongside the company (GDPR, Article 4(7)). • When assessing the non-material damages under GDPR, Article 82, the Court considered the nature, gravity, duration, degree of fault and measures taken to mitigate harm, previous breaches, and categories of personal data. In this instance, the Court found that the breach exceeded the de minimis threshold despite it being a one-time event. The sensitive nature of the personal data collected and disclosed affected the interests of the data subject, which was why the damages already awarded in the amount of 5.000 were deemed appropriate. Published: 30-11-2022 Journal number: N/A Tags: 07 Compensation for non-material damages 62

Data Processor’s promises regarding third-country transfer were valid Summary A Europe-wide invitation to tender for the procurement European subsidiary would follow instructions from of a digital healthcare patient discharge management the US parent company that violated the law. software system included a criterion that any data • Since the respondents did not have to assume that processing had to be conducted in a data center the personal health data would be transferred to situated in the EEA, and that no subcontractor should a third country, there was no need to conduct a be located in third countries. The tender was won by transfer impact assessment. Company A, which had an EU subsidiary serving as a subcontractor (data processor) and was incorporated • Promises of organizational and technical measures in the US as a parent entity. The complainant, Company to ensure compliance with GDPR provisions when B, which was also a part of the tender process, transferring data to the US are irrelevant in terms argued that company A should be excluded from the of the agreement to process the data exclusively in procurement as its subcontractor posed a potential Germany. risk, in that US governmental bodies could gain access Our remarks to the personal data on the EU servers. • The mere fact that a subsidiary is owned by a US- The Baden-Württemberg Public Procurement Chamber based parent company does not necessarily mean agreed with the complainant, arguing that the use of that the subsidiary would violate GDPR provisions. the subcontractor, and its inherent risk, constituted a However, controllers must ensure that the third- transfer within the meaning of GDPR, Article 44. party processors they engage with, regardless of their ownership structure, can fulfill GDPR The decision was appealed. Additionally, the requirements. In this case, it would be sufficient to Baden-Württemberg DPA criticized the decision, noting implement organizational and technical measures that the decision did not factor in the possibility for to prevent unauthorized third country access. parties to implement technical and organizational • To assess whether you need to conduct a measures to reduce or eliminate risks, such as using transfer impact assessment, and to further your encryption technology, and that equating the risk understanding of the European data transfer of access with actual transmission to be legally regime after Schrems II, see the ComplyCloud questionable. Transfer Roadmap whitepaper on our webpage The Decision Karlsruhe Higher Regional under ‘academy’ -> ‘downloads’-> Transfer Court (OLG Karlsruhe) Roadmap. Please note that this decision was made prior to the The OLG Karlsruhe overturned the decision of the Public EU Commission’s adoption of the EU-U.S. Data Privacy Procurement Chamber, holding that: Framework. The framework solves the challenges of the • Merely being a subsidiary of a US-based company SCHREMS II case and thereby ensures that entities in did not require the respondents to doubt the the EU can transfer personal data to entities in the US fulfilment of the promise of performance. The that comply with the framework without conducting a respondents did not have to assume that the TIA. However, general considerations concerning the US parent company would give instructions that transfer of personal data to other unsafe third countries violated the law and the contract or that the still apply. Published: 07-09-2022 Journal number: Az. 1 VK 23/22 Tags: 06 Transfer to third countries 63

Claim of non-material damages rejected by Court Summary Our remarks Following the expiration of a fixed-term employment • Even though the German Court applies a broad contract, a photograph of the data subject, along interpretation of the right to compensation for non- with his name, was still available on the Internet in material damages, there must be indicators that connection with the former employer’s (controller) the data subject has been significantly affected company. In a letter dated 12 September 2018, the data by the infringement. The threshold at which the subject requested the plaintiff to delete these entries. severity of the infringement needs to be evaluated During an internet search on 10 and 11 October 2018, the varies on a case-by-case basis and requires data subject found entries by the former employer with individual consideration. his name and photo via Google. • When doing a risk assessment, take into account The data subject further argued that the unauthorized the nature and severity of a possible infringement. publication of his photo and his name in connection with the controller’s company put him at a noticeable ° Examples of recognized non-material damages disadvantage in his work as a freelance real estate include feelings of uncertainty, loss of trust and agent. The data subject argued that several potential anxiety about (potential) misuse of personal data. business partners would have refused to work with him These risks need to be assessed in conjunction with because of the former employer’s bad reputation in the severity of the infringement. the real estate industry. He was of the opinion that the • To avoid being held liable for inflicting non-material immaterial damage he had suffered because of this damages or the risk of future material damages should amount to at least 25.000 EUR and declared the because of a data breach, ensure adequacy of offsetting of this claim as compensation. technical and organizational security measures: The Decision of the Higher Regional Court of ° Ensure that only current third-party business Brandenburg (OLG Brandenburg) relations have access to your systems. Conduct OLG Brandenburg rejected the claim for damages for regular security assessments and penetration the following reasons: testing to identify vulnerabilities in your system and organization (including partners) and implement A claim for damages can only arise from GDPR, Article adequate measures to address them. 82, if concrete damage has been fully presented. The Court stated that such a claim had no material ° Monitor access to personal data, limit it to authorized prospect of success in this case. A mere breach is not personnel (internally as well as third parties), and sufficient for claiming non-material damages. revoke access for those who no longer require access. Published: 11-08-2021 Journal number: 1 U 69/20 Tags: 08 Compensation for non-material damages 64 Published: 24-02-2022 Journal number: I ZR 2/21 Tags: 01 Legal basis and principles of processing

Copyright law prioritized artistic freedom over personality rights Summary suggested that the superstar was directly involved in Tina Turner brought a lawsuit against the organizers of the production. a tribute show titled ”Simply the Best - Die Tina Turner The dispute regarded whether the artistic freedom Story,” seeking injunctive relief. She claimed that the according to German copyright law of the Tina Turner show’s name and promotional materials created the lookalike outweighed the real Tina Turner’s personality impression that she would be performing or endorsing rights to the use of her image. the production. Even though the dispute mainly was assessed under At issue was whether the Tina Turner impersonator in articles in the German Civil Code, the Court specifically the show closely resembled the original performer, and stated that the evaluation of the interests of the parties whether the advertising posters featuring her photo in the case is the same as the one made after GDPR, and the title ”Simply The Best - The Tina Turner Story” Article 6(1)(f). The photo of Tina Turner used on the posters The Decision of the German Supreme Court The German Supreme Court denied Tina Turner’s claim for injunctive relief as the impersonator’s artistic freedom outweighed the personality rights of Tina Turner, according to German copyright law. This decision was made after a balancing exercise, similar to that required by legitimate interests as legal basis (GDPR, Article 6(1)(f)). Published: 24-02-2022 Journal number: I ZR 2/21 Tags: 01 Legal basis and principles of processing 65

• In Germany, and in the rest of Europe, copyright Our remarks • In some cases, other fundamental rights like the law requires a balancing exercise between artistic right to freedom of expression or artistic freedom freedom and personality rights when determining can exceed a data subject’s rights under the GDPR. the legality of using a person’s likeness for commercial purposes. • In the specific case, the Court found that Tina • Despite this case, the use of a performer’s name Turner’s right to images was exceeded as there was and image in other contexts without their consent no risk of confusion between the cover artist and can be an infringement of an intellectual property the real Tina Turner. As Tina Turner was 80 years old right or privacy rights according to the GDPR. and had officially ended her career ten years ago (at the time of the lawsuit) there was no such risk. • When you are a famous public figure, you often endure more than a regular person does. In the case, the Court also argued that the photo on the poster was taken in a public setting and that its use was not overly invasive. 66

Disclosure of personal data for the enforcement of civil law claims Summary Our remarks An individual who did not have a Facebook Messenger • The right to access personal data under the account learned that her personal data was being GDPR also applies to individuals who are not discussed in a group chat on Messenger by her family users of a particular service. In this case, the members. person who did not have a Facebook Messenger account was still entitled to access the personal The family members wrote messages like “She is the data being discussed about her in a group chat biggest bitch” or “What a disgrace she is for the proud on Messenger. family”. In addition to the insulting content, the family members made false factual claims about her. • The right to privacy is an important consideration in determining whether an The individual requested access to the information individual should be granted access to personal being disclosed about her in the group chat including data, as there can be opposing privacy IP addresses of the users, the messages, e-mail rights that need to be assessed. The German addresses of the users etc. to have the opportunity Court found that the person’s right to privacy to establish a civil claim. This request was denied by outweighed Facebook’s interests in protecting Facebook. the privacy of other Messenger users. The Individual then filed a complaint with the Irish Data • The case shows how GDPR can influence the Protection Comission (DPC), as Facebook’s European application of other laws. The Court concluded headquarters are in Ireland. The Irish DPA referred that TMG’s provisions regarding the disclosure the case to the German Federal Court of Justice of user data for the enforcement of civil law (Bundesgerichtshof) as the applicant was German. claims must be applied in accordance with The case raised questions in relation to whether the GDPR’s requirements of necessity and the information could be provided according to the proportionality. German Telemedia Act (TMG) and the GDPR. • The ruling highlights the importance of The Court found that Facebook Messenger comes transparency and accountability in data under the purview of the TMG, which allows service processing practices. The GDPR requires providers to disclose user data to enforce civil law companies to be transparent about their claims. Furthermore, the Court deemed this disclosure data processing practices and to ensure that as a necessary and proportionate action within a individuals can exercise their rights to access, democratic society, in line with GDPR, Article 23(1)(j). rectify, and delete their personal data. The Decision of the German federal Court The German federal Court ruled that according to GDPR, Article 17, the individual had the right to be provided with the personal data being discussed about her in the group chat on Messenger. Published: 24-09-2019 Journal number: VI ZB 39/18 Tags: Right to access and obligation to provide information 67

Dismissal of DPO in concerns of potential conflicts of interests justified under national legislation Summary • A conflict of interests may arise if a data protection An employee, who had been working for X-FAB since 1st officer has additional tasks or duties that would November 1993, held the positions of chair of the works enable them to determine the objectives and council and vice-chair of the central works council methods of processing personal data for the for three undertakings within the group of companies, controller or processor (GDPR, Article 38(6)). The all of which belonged to X-FAB and were situated in national court must determine whether such Germany. Beginning in June 2015, the employee was a conflict exists on a case-by-case basis by appointed as the DPO for X-FAB, its parent company, assessing all relevant circumstances, including and other subsidiaries established in Germany. the organizational structure of the controller or processor and applicable rules and policies. However, in response to a request from the Thüringen DPA, X-FAB and the undertakings in question dismissed Our remarks the employee from his duties as DPO, citing concerns of • The DPO should be able to perform their duties potential conflicts of interest due to his concurrent roles and tasks in an independent manner. In that as DPO and chair of the works council. The company regard, such independence must necessarily argued that the dismissal was justified under national enable them to carry out those tasks in legislation that allowed for dismissal with ‘just cause’. accordance with the objective of the GDPR. The As a result, the employee brought an action before the DPO cannot be assigned responsibilities that German courts seeking a declaration that he should involve deciding on the objectives and methods retain the position of DPO. of processing personal data for the controller or its processor. It is necessary to evaluate all The Decision of the European Court of Justice the relevant circumstances on a case-by-case (CJEU) basis, including the organizational structure The preliminary ruling by the CJEU ruled that the of the controller or its processor, applicable dismissal of the DPO grounded in the ‘just cause’ notion regulations, and any policies of the controller or in national legislation was justified with the following its processor, to identify any potential conflicts arguments: of interest. • According to national legislation, a controller or • According to the CJEU, Member States are processor has the authority to dismiss a data allowed to lay down more protective legislation protection officer who is an employee of that relating to the dismissal of a DPO employed controller or processor, even if the dismissal is not by a controller or by a processor, if such related to the officer’s tasks. This provision does not legislation is intended to preserve the functional violate the second sentence of GDPR, Article 38(3) independency of the DPO and is compatible provided that such legislation does not undermine with EU law. When operating as a DPO in the objectives of the Regulation and remains multiple countries, make sure to evaluate the compatible with EU law. legal landscapes in each country to ensure sufficient functional independence. Published: 09-02-2023 Journal number: C-453/21 Tags: 01 Legal Basis and principles 68

Largest fines – Belgium 05

Google Belgium SA Fined for violating the right to be forgotten Summary A Belgian citizen, who is well-known in Brussels The Belgian DPA found that Google LLC, of which Google and has held various high-ranking positions in Belgium is a subsidiary, could be considered the data the energy sector, filed a complaint to the Belgian controller and asserted its competence to take action Data Protection Authority (DPA) concerning the against Google Belgium, arguing that the activities of delisting of 12 URLs from Google’s search results. The the two entities were inextricably linked. complainant argued that the links, which presented the complainant as affiliated with a political party and The DPA noted that the one-stop-shop mechanism, included outdated information about an unfounded which allows companies operating across multiple harassment complaint, were detrimental to his honor EU member states to deal with only one supervisory and reputation. Google responded by removing one authority for their cross-border processing activities, link, stating that another could not be accessed, and did not apply in these circumstances. Had this been refusing to block the remaining links. The complainant the case, the Irish DPA would have assumed the role did not receive noteworthy information as to how this as lead supervisory authority since Google Ireland Ltd. decision was justified by Google. is Google’s main establishment in the EU. However, the one-stop-shop mechanism did not apply for A substantial part of the case was concerned with two reasons. Firstly, the DPA argued, since the data determining whether Google Belgium SA (Google processing in question did not concern cross-border Belgium), Google Ireland Ltd. (Google’s main activities, and secondly, since Google Belgium’s establishment in the EU) or Google LLC, established in counsel had confirmed that Google Ireland Ltd. was California, should be considered the data controller. The not involved in the processing activities related to issue raised complex questions on the territorial scope of the complaint. Instead, the DPA argued that the GDPR the GDPR and became the determining factor in why the applied to Google LLC, and that Google Belgium as an historic fine was ultimately annulled by an appeals court. establishment of Google LLC triggered the applicability of the GDPR under Article 3(1). Decision of the Belgian DPA On the requests for dereferencing The Belgian DPA fined Google Belgium SA 600,000 EUR, The Belgian DPA found the search results relating to based on the annual turnover of its parent company, the harassment to be outdated and having potential Alphabet, for the following violations: prejudicial impact on the complainant’s professional • Breaching the complainant’s right to be forgotten and private life. The DPA concluded that Google and inadequately balancing the complainant’s Belgium had infringed the complainant’s right to be rights and interests against Google’s legitimate forgotten as well as his right to information by refusing interests in processing the relevant personal data to dereference the search results. However, the links (GDPR, Articles 17(1)(a) and 6(1)(f)) (500.000 EUR). relating to the political affiliation of the complainant were deemed able to remain online due to their • Failing to provide the complainant with sufficient continuing public relevance. information regarding the decision not to dereference the relevant links (GDPR, Article 12) (100.000 EUR). On the issue of competence Published: 30-06-2021 Journal number: 2020/AR/1111 Tags: 01 Legal basis and principles of processing, 07 Scope of the GDPR 70

Decision of the Market Court of Appeals Our remarks The Market Court of Appeals (the Market Court) • By issuing its largest fine to date, the Belgian annulled the decision of the Belgian DPA, including the DPA sent a strong signal to global organizations, fine of 600,000 EUR. Basing its arguments on national urging them to consider their data protection principles of administrative law, the Market Court found strategies in view of the GDPR. The case also that the decision of the DPA lacked proper motivation. demonstrates the Belgian DPA’s intentions In particular, the decision did not provide an adequate to challenge multinational entities on their or satisfactory explanation for directing the complaint intended company structures when these do and sanctions solely against Google Belgium SA, when not adequately align with reality. Google LLC was found to be the actual data controller responsible. • The case furthermore illustrates the approach taken by the Belgian DPA in striking a balance The Market Court highlighted that Google Belgium SA is between the privacy rights of public figures primarily responsible for Google’s marketing activities and the public’s right to access information in Belgium, and therefore is not involved in determining about them online. By finding that certain the means and purposes of data processing through articles related to the complainant’s political the Google search engine. affiliations could remain online, the Belgian DPA acknowledges the importance of public The Market Court also noted that the GDPR contains interest. However, the DPA emphasizes the need obligations only for data controllers and data to protect public figures from potential harm, processors. A subsidiary or local establishment engaged such as the repercussions from unfounded in other activities, such as Google Belgium, may only be harassment allegations. The case illustrates held accountable where its activities are indissociably the commitment of the Belgian DPA to carefully linked to the personal data processing carried out by weighing the competing interests of privacy and Google LLC. This link must be identified on a case-by- information access when addressing questions case basis and cannot be presumed or demonstrated relating to public figures. by referring to decisions from other national jurisdictions or courts of other EU member states. The Market Court • Finally, the Market Court’s decision in the appeal argued that the Belgian DPA may only pursue a local case has set a standard for the Belgian DPA establishment if there is clear, unambiguous, and non- when pursuing transnational companies in data contradictory evidence of an inextricable link between protection matters, highlighting the interplay the local establishment (Google Belgium SA) and the between European regulations and national data controller (Google LLC). procedural rules. The case is centered around a national provision regarding the adequate In sum, the Market Court did not replace its own motivation of administrative decisions, as judgement with that of the DPA. The disputed decision stated in the Act of 29 July 1991. In cases was overturned and referred back to the Belgian DPA, where administrative authorities have broad who must now make a new decision from scratch, discretionary power, and particularly when provided that a valid complaint is still pending. In its new the arguments of a party are dismissed, the decision, the DPA may impose a new fine on Google need for adequate motivations is particularly Belgium SA or even target other entities within the important, and must be based on clear and Google group, such as Google LLC or Google Ireland Ltd. concrete elements. 71

Interactive Adverting Bureau Europe fined for the non-compliance of its Transparency & Consent Framework Summary The Interactive Adverting Bureau Europe (IAB Europe) the DPA held that IAB Europe was exerting control developed an operational consent solution for parties in the capacity of data controller. According to IAB in the digital advertising industry known as the Europe itself, however, the association merely held Transparency and Consent Framework (TCF). the status of data processor in the context of the TCF for two main reasons. Firstly, the association argued IAB Europe represents the digital advertising and that TC Strings contain technical information only, i.e. marketing industry across Europe. The association the binary indication of whether a user consented to was the subject of several complaints concerning the processing purposes on a given website. As such, various breaches of GDPR due to its alleged large-scale TC Strings contain no unique identifier (such as the IP processing of personal data in the context of the TCF. address) and should not be qualified as personal data The TCF provides an environment where website according to IAB Europe. Secondly, regardless of the publishers can communicate with consumers, legal qualification of TC Strings, IAB Europe did not own, specifying how data is collected and disclosing its process, or coordinate the use of specific TC Strings intended use by the website owner and its partners. and consequently argued that its role did not amount User preferences are captured by generating a so- to that of a data controller. called TC String (Transparency and Consent String), As a result of the misconceptions related to IAB Europe’s consisting of a combination of letters, numbers and role as being either data controller or processor, the other characters. As users browse websites using the association did not establish sufficient legal basis TCF (pop-ups) to collect consent, the placement of under GDPR according to the Belgian DPA. Similarly, cookies or other advertisement identifiers and tracking the DPA found that IAB Europe had breached several technologies on their devices allow adtech vendors to provisions by failing to conduct a data protection bid on user profiles, exposing users to advertisements impact assessment, appointing a DPO, and maintaining according to their individual commercial preferences. a register of their processing activities. A question central to the case is whether TC Strings qualify as personal data under GDPR. The Belgian DPA issued the fine on 2 February 2022 and In relation to the TCF, the role of IAB Europe under GDPR ordered IAB Europe to produce, within two months, an is disputed. Arguments were made by the Belgian action plan for securing the compliance of the TCF. IAB DPA that IAB Europe acted as data controller for the Europe appealed the decision to the Brussels Market recording of TC Strings as well as joint data controller Court of Appeal on 4 March 2022. alongside other actors implementing the TCF such as website owners, adtech vendors and others collecting and disseminating users’ preferences. In this regard, the DPA pointed to the decisive influence of IAB Europe on the purposes and means of data processing through its role as designer of the TCF and managing body of organizations participating in the TCF. By enabling the generation of the TC String and determining the policies for how consent might be obtained and disseminated, Published: 15-01-2021, Journal number: DOS-2019-01377 Tags: 01 Legal basis and principles of processing, 72 02 Right of access and obligation to provide information, 05 Data security

Decision of the Belgian DPA Our remarks The Belgian DPA imposed a fine of 250,000 EUR for the • According to the Belgian DPA, the processing of a following violations: TC String in combination with a user’s IP address • Processing user preferences in the form of TC amounts to personal data within the meaning of Strings without legal basis (GDPR, Articles 5(1)(a) GDPR. As the purpose of TC Strings is to single out and 6). individuals and capture their personal preferences, the DPA argues, it can be assumed that the data • Failing to sufficiently inform data subjects and thus subject will likely be identified, although indirectly. comply with transparency requirements (GDPR, However, this interpretation of the notion of Articles 12, 13 and 14). personal data has been criticized by IAB Europe for • Failing to ensure the security of the processing being overly broad from a consumer protection (GDPR, Articles 24, 25, 5(1)(f) and 32). point of view and has since been referred to the • Failing to keep a record of the relevant processing Court of Justice of the European Union by the activities (GDPR, Article 30). Market Court. The question is currently unanswered. • Failing to perform a data protection impact • The case will likely have far-reaching implications assessment (GDPR, Article 35). for the status of standard setting organizations. • Failing to appoint a data protection officer (GDPR, Although industry standards are highly impactful Article 37). in establishing best practices within a particular sector, assigning these organizations the The Belgian Data Protection Authority furthermore responsibilities of (joint) controllers based on codes imposed an obligation on IAB Europe to undertake of conduct may prove a drastic step. Following the several corrective measures. IAB Europe should develop reasoning of the Court of Justice of the European an action plan to include: Union in the coming months will hopefully provide • A valid legal basis for processing and sharing user much anticipated clarity on this issue. preferences within the TCF. • Auditing the GDPR compliance of all organizations participating in the TCF. Decision of the Market Court of Appeals In an interim ruling of 7 September 2022, the Market Court found that the decision of the Belgian DPA was insufficiently substantiated while referring two questions to the Court of Justice of the European Union. These questions concern the interpretation of data controllership as well as the legal status of TC Strings under GDPR. Once answered, the Market Court will rule on the substantive issues raised in IAB Europe’s appeal of the Belgian DPA’s decision. A decision is expected in 2024. 73

Brussels Zaventem Airport fined for processing health data about travelers Summary Decision of the Belgian DPA Brussels Zaventem Airport installed thermal cameras The Belgian DPA imposed a fine of 200,000 EUR on to identify and screen passengers with a body Brussels Zaventem Airport for the following violations: temperature of more than 38°C, thus processing health • Lacking a valid legal basis and basic data data of passengers entering the airport (first line of protection principles (GDPR, Articles 5(1)(c), 6(1)(e) control). Furthermore, a specialized ‘Ambuce Rescue andand 9(2)(g)). Team’ was engaged to conduct second temperature scans and examinations of further symptoms of • Failure to comply with information and passengers whose temperatures were above 38°C transparency requirements (GDPR, Articles 12, 13(1) (second line of control). Findings were then issued (c) and 13(2)(g)). in a report based on the examinations. Both Brussels Zaventem Airport and the Ambuce Rescue Team were • Failure to conduct comprehensive impact considered data controllers. assessments (GDPR, Articles 35(1), 35(3) and 35(7) (b)). The data processing was based on a Protocol which, according to the Belgian DPA, was not binding under The Belgian Data Protection Authority imposed a fine Belgian law. of 20.000 EUR on the Ambuce Rescue Team for the following violations: The decision of the DPA was later partly annulled by the Market Court of Brussels. • Lacking a valid legal basis and breach of basic data protection principles (GDPR, Articles 5(1)(c), 6(1)(e) and 9(2)(g)). • Failing to conduct comprehensive impact assessments (GDPR, Articles 35(1) and 35(3)). Published: 07-12-2022, Journal number: 2022/AR/560&564 Tags: 01 Legal basis and principles of processing, 74 02 Right of access and obligation to provide information

Decision of the Market Court of Brussels The Market Court annulled the decision and fine • The decision underlines the importance of regarding the Ambuce Rescue Team. conducting comprehensive impact assessments (DPIA’s). Data Protection Impact Assessments Our remarks ensure the thorough evaluation of risks of data subjects due to the processing of their data. It • Invoking a legal obligation within the meaning of should be noted that the “large-scale” nature of GDPR, Article 6(1)(c) or public interest within the the processing of special categories of personal meaning of GDPR, Article 9(2) requires the presence data is not solely determined by the number of of legal necessity under national or EU law. The data subjects involved. In this regard, the Ambuce protocol invoked by the airport did not, however, Rescue team pointed out that only eight people directly impose the use of temperature checks on had been subjected to second-line controls, passengers in the opinion of the Belgian DPA. As the arguing that the disputed processing did not fall protocol in question did not constitute a law in a under GDPR, Article 35(3)(b). However, according strict sense, the legal obligations originating from it to the DPIA Guidelines of the Article 29 Working could not be considered clear and precise enough Party, processing activities may also be considered to constitute standards of law within the meaning “large-scale” based on factors such as the of GDPR, Articles 6(1) and 9(2). quantity of personal data involved, the duration • When indicating the legal basis for processing or continuous nature of the processing activity, activities in a privacy policy, general references to and the geographical scope of the processing. “legal obligations and tasks of general interest” will Therefore, in the present case, the data controller not comply with the requirements of transparency should have included the second line of control in under the GDPR. Instead, the policy must clearly its DPIA. indicate which of the cases listed in Articles 6 or 9 are applicable to the disputed processing activities. 75

Brussels South Charleroi Airport fined for processing health data about travelers Summary Decision of the Market Court of Brussels Brussels South Charleroi Airport installed thermal The Market Court reduced the fine to 25,000 EUR. cameras to identify and screen passengers with a body temperature exceeding 38°C, thus processing health Our remarks data of passengers entering the airport (first line of • When indicating the legal basis for processing control). The scans were conducted both for departing activities in a privacy policy, general references to and arriving passengers. Furthermore, a specialized “legal obligations and tasks of general interest” do team was assigned to conduct second temperature not meet the transparency requirements outlined in scans and examinations of further symptoms of the GDPR. Instead, the policy must clearly indicate passengers displaying temperatures above 38°C which of the cases listed in Articles 6 or 9 are (second line of control). Findings were then issued in a applicable to the disputed processing activities. report based on the examinations. • Invoking a legal obligation within the meaning of The data processing was based on a Protocol which, GDPR, Article 6(1)(c) or a public interest within the according to the Belgian DPA, was not legally binding meaning of GDPR, Article 9(2) requires the presence under Belgian law. of legal necessity under national or EU law. The Protocol invoked by the airport did not, however, Decision of the Belgian DPA directly impose the use of temperature checks on The Belgian DPA imposed a fine of 100,000 EUR on passengers in the opinion of the Belgian DPA. As Brussels South Charleroi Airport for the following the protocol in question did not constitute a law violations: in a strict sense, the legal obligations originating • Lacking a valid legal basis and disregarding basic from it could not be considered sufficiently clear data protection principles (GDPR, Articles 5, 6 and and precise to constitute legal standards within the 9). meaning of GDPR, Articles 6(1) and 9(2). • Failure to comply with information and transparency requirements (GDPR, Articles 12 and 13). • Failure to conduct comprehensive impact assessments (GDPR, Articles 35(1)). • Breaching the obligation to implement technical and organizational measures to secure data (GDPR, Article 32). • Breaching the principle of data protection by design and default (GDPR, Article 25). • Failing to ensure the independence of the data protection officer (DPO) (GDPR, Article 38(3)). Published: 07-12-2022 Journal number: 2022/AR/556 Tags: 01 Legal basis and principles of processing, 76 02 Right of access and obligation to provide information

Financial company fined for lacking sufficient organizational measures Summary Our remarks The complainant, a client of a financial company, • The employer, who is also the data controller, holds discovered that her personal data hosted by the the responsibility for the data processing carried Belgian National Bank (’BNB’) had been unlawfully out by its employees in line with its predefined accessed 20 times between 2016 and 2018. purposes. However, the employer may also be held The defendant was a company operating within liable for unauthorized data processing carried the financial sector which offered services such as out by its employees. In cases where employees personal loans. The ex-husband of the complainant engage in unauthorized data processing, it is the was employed at the company. According to the entity, not the employee, that is accountable for defendant’s data protection officer, employees were adhering to data protection legislation, unless only allowed to access the personal BNB files of clients specific circumstances indicate otherwise. As per in order to grant or manage credit. However, the the Opinion 1/2010 of the Article 29 Working Party, complainant’s ex-husband accessed the personal file companies and organizations are often considered of the complainant in violation of these guidelines. responsible for data processing, rather than the individual employees within them. Therefore, it is Although the complainant’s ex-husband was imperative for the data controller to implement accountable for the unauthorized access to the suitable technical and organizational measures complainant’s file, the data controller retained to prevent any abusive data processing by its responsibility as a data controller and employer employees, especially when it comes to special under GDPR, Articles 5(2) (accountability principle) categories of personal data such as financial and 24 (responsibility of the controller). Therefore, the information relating to persons. employer was responsible for ensuring the safety of its • Although the defendant is considered the data data processing and remained accountable for any controller for the purposes of the data processing violations. carried out by its employees, this does not mean The complainant inquired with the data protection that it is the only entity responsible in this case. The officer, on more than one occasion, about the data employee was also considered a data controller for that was accessed, the identity of the individuals who the specific, unauthorized data processing activities accessed the data, as well as the purpose and legal he carried out, and actions were brought against basis. This information, despite the numerous requests, him in a separate case. was not provided to the complainant. • The Belgian DPA emphasized the value of following Decision of the Belgian DPA best practices when securing personal data. The company was fined 100,000 EUR for the following Although not explicitly mentioned in the GDPR, violations: measures such as keeping log files allow the data controller to demonstrate compliance with • Lacking sufficient organizational and technical Article 32 (security of processing) by documenting measures ensuring the security of processing that technical steps have been taken to limit (GDPR, Article 32 in conjunction with Article 24). unauthorized access by an employee to a • Failing to provide the data subject with requested database of personal data. information (GDPR, Article 15). • Data controllers must respond to access requests The company was ordered to implement a compliance in accordance with the GDPR, Article 15, providing process for access to BNB files. the data subject with a list of the data that has been accessed, the identity of the individuals who accessed it, the purpose, and the legal basis. Published: 26-04-2021 Journal number: DOS-2019-02288 Tags: 05 Data security 77

Bank fined due to a conflict of interest regarding its DPO Summary Decision of the Belgian DPA An individual filed a complaint with the Belgian The Belgian DPA fined the bank 75,000 EUR for the DPA, claiming that a bank had violated his right to following violations: rectification (GDPR, Article 16). During the investigation, • Failing to ensure the independence of the DPO the DPA broadened its scope to examine a potential (GDPR, Article 38(6)). conflict of interest regarding the bank’s data protection officer (DPO). The Belgian DPA examined the different • Failing to provide the data subject with requested roles assumed by the DPO. In addition to being the information (GDPR, Article 15). DPO, the employee also headed the bank’s operational risk management department, the information risk The bank was also ordered to implement a compliance management department, and its special investigation process to properly handle access requests from its unit. clients. It follows from GDPR, Article 38, that a DPO may have Our remarks other roles within a company. However, the tasks and • Organizations should exercise caution when duties of the DPO must not result in a conflict of interest. appointing DPO’s who hold multiple roles within the The bank claimed that the DPO merely held a company. Conflicts of interest may arise if the DPO position of formal responsibility as head of the three acts as the head of other departments where they departments. As such, his supervisory role did not are responsible for making decisions related to the entail decision making competences in relation to the purposes and means of personal data processing purposes and means of personal data processing. in some capacity. To support its argument, the bank referred to the • Avoiding conflicts of interest is always important to organizational structure of the departments and prioritize when appointing a DPO, regardless of the previous caselaw from the Belgian DPA. However, size of the organization. However, in cases where the DPA proceeded to evaluate to what extent the organizations process personal data relating to a independence of the DPO was ensured with respect to large number of data subjects, as in the present each of the three departments. case, the presence of a conflict of interest is even The DPA determined that issues regarding conflicts of more significant. The greater the number of data interests must be determined on a case-by-case basis, subjects potentially impacted, the higher the risk of taking into account the data controller’s organizational harm due to conflicts of interest, and as a result, the structure. The DPA then found that the organizational larger the potential fine that may be imposed. structure of the bank de facto resulted in the DPO having responsibilities and performing tasks as head of the three departments that were incompatible with his role as DPO. Published: 16-12-2021 Journal number: DOS-2020-03763 Tags: 01 Legal basis and principles of processing 78

SA Rossel & Cie media company fined for unlawful use of cookies Summary The decision of the Belgian DPA SA Rossel & Cie (‘Groupe Rossel’), a Belgian press site, The Belgian DPA imposed a fine of 50,000 EUR on was among the subjects of a broad investigation Groupe Rossel for the following violations: carried out by the Belgian Data Protection Authority (DPA) regarding the placement of cookies on the most • Placing non-essential cookies before obtaining user widely accessed Belgian online news media sites. The consent, including cookies placed by third-party case was examined together with the case regarding domains (GDPR, Article 6(1)(a) and Article 129 of the Roularta Media Group, which is described below. The Belgian Electronic Communications Act). DPA examined several websites administered by • Obtaining consent through the ”further browsing” Groupe Rossel to assess how non-essential cookies technique, which links the expression of consent were managed and whether visitors’ consent was for cookies with the choice to continue using the obtained in accordance with the GDPR. website (GDPR, Articles 4(11), 6(1)(a), and 7(1)). The DPA’s investigation found that Groupe Rossel had • Depositing non-essential cookies, namely social used non-essential cookies without obtaining valid media and audience measurement cookies, before consent from visitors, including cookies on third-party obtaining user consent (GDPR, Article 6(1)(a)). domains. Additionally, Groupe Rossel obtained user • Presenting the selection screen for partners to consent using the ‘further browsing’ mechanism, which whom personal data was sent in ”allow” mode by linked users’ expressions of cookie consent to their default for the approximately 500 listed partners decision to continue browsing the website. According (GDPR, Articles 4(11), 6(1)(a) and 7(1)). to the DPA, this method of obtaining consent does not meet the requirements for specification and distinction • Only mentioning 13 external partners in the outlined in GDPR, Article 4(11). cookie policy, whereas the partner selection The DPA found that Groupe Rossel had continued screen accessible via the volatile cookie banner to place cookies on users’ devices after they had referenced around 500 partners of this type (GDPR, withdrawn their consent. The placement of cookies in Articles 4(11), 12(1), 13 and 14). such a situation is unlawful due to the lack of (consent • Failing to provide sufficient accessible and/or as a) legal basis. language-appropriate mandatory information to data subjects (GDPR, Articles 12(1), 13, and 14). The DPA also found that the cookie policies of Groupe Rossel’s websites were incomplete and not easily • Allowing the placement of new cookies after the accessible to users. Additionally, these policies failed withdrawal of user consent without justification to provide mandatory information, such as the names deemed relevant by the DPA (GDPR, Article 7(3)). of all third-party partners. As a result, Groupe Rossel Appeal to the Belgian Market Court breached GDPR, specifically Articles 12(1), 13, and 14, which requires organizations to provide data subjects According to Belgian law, when the Belgian DPA initiates with complete and accessible information about the a case on its own, it must be based on a referral. The processing of their personal data. referral must be made by the management board of the DPA and provide ”serious indications” of a potential The decision was later appealed. violation of the fundamental principles of personal data protection. Published: 22-02-2023 Journal number: 2022/AR/953 Tags: 01 Legal basis and principles of processing 79

Our remarks However, in the referral for this case, no serious • For cookie placement to be lawful, user consent indications were mentioned or proven. Even though must be obtained prior to the placement of cookies, the investigation service (not the management board) and continued browsing may not be considered a created a handwritten note listing various reasons legal form of consent under GDPR. Rather, consent for initiating the investigation, the Market Court should be considered valid only if it results from a found that there was no official referral which made clear and sufficiently specific active action from the investigation irregular and suggested that the the user. Finally, if users withdraw their consent, investigation service was improperly involved or seized this withdrawal must be effective and prevent the in an irregular manner. Therefore, the Market Court placement of further cookies. made the case invalid. • Article 129 of the Belgian Electronic Final decision of the Belgian Market Court Communications Act contains two exceptions regarding user consent and cookie placement. The Court invalidated the decision by the Belgian DPA, As a main rule, the consent of data subjects must as the referral on which the investigation was based be obtained prior to the placement of cookies on was insufficient. their devices. This, however, is not required in the following two situations: ° When the cookie is only intended to carry out the transmission of a communication over an electronic communications network, or ° When the cookie is strictly necessary for the provision of a service explicitly requested by the subscriber or end user (such as cookies allowing the storage of items in an online shopping cart or ensuring the security of a banking application). • All other cookie placements or installations of other tracking measures require the prior consent of the data subject. • Data protection authorities must oblige to procedural rules. Even though their assessment of the processing in question is correct, the case or decision can be invalidated if procedural rules are not followed. • As the invalidation only happened due to the missing justification in the referral, the DPA’s assessment of the cookie solution is still relevant as a takeaway for other data controllers. 80

Roularta Media Group fined for unlawful use of cookies Summary Roularta Media Group, a Belgian media company, was • Due to the publication of a disclaimer on the among the subjects of a broad investigation carried websites in question, claiming that Roularta Group out by the Belgian Data Protection Authority (DPA) was not responsible for the placement of third- regarding the placement of cookies on the most widely party cookies on users’ devices (GDPR, Articles 5(2) consulted Belgian online news media. The case was and 24). examined together with the case about SA Rossel & Cie, • Failing to provide information to data subjects in a which is described above. The DPA inspected several transparent, understandable, and easily accessible websites administered by Roularta Media Group, form (GDPR, Articles 12(1), 13, and 14). focusing on the management of non-essential cookies • Non-compliance with the principle of storage and whether visitors’ consent had been obtained in limitation (GDPR, Articles 5(1)(e)). accordance with the GDPR. The DPA found that Roularta Media Group had used • Failing to ensure that withdrawing consent to the non-essential cookies without first obtaining valid placement of cookies is as easy as providing it consent from website users. (GDPR, Article 7(3)). Furthermore, Roularta Media Group had obtained user Appeal to the Belgian Market Court consent to the placement of third-party cookies in an ambiguous manner, contrary to the GDPR requirements, According to Belgian law, when the Belgian DPA by presenting users with pre-ticked boxes. Additionally, initiates a case on its own initiative, it must be based it was more difficult for users to withdraw consent to the on a referral. The referral must be made by the placement of cookies than it was for them to provide it. management board of the DPA and provide ”serious Finally, the DPA noted that the cookie policy of Roularta indications” of a potential violation of the fundamental Media Group on the relevant websites did not provide principles of personal data protection. adequate details regarding the use of cookies, and that However, in the referral for this particular case, no cookies were being retained for unjustified periods of serious indications were mentioned or proven. Even time. The company did not fulfill its obligation to enable though the investigation service (not the management users to revoke their consent. board) created a handwritten note listing various reasons for initiating the investigation, the Market Court The decision was later appealed. found that there was no official referral which made the investigation irregular and suggested that the The decision of the Belgian DPA investigation service was improperly involved or seized The Belgian DPA imposed a fine of 50,000 EUR on in an irregular manner. Therefore, the Market Court Roularta Media Group for the following violations: made the case invalid. • Placing non-essential cookies before obtaining user Decision of the Belgian Market Court consent, including cookies placed by third parties The Court invalidated the decision by the Belgian DPA, (GDPR, Article 6(1)(a) and Article 129(2)) of the as the referral on which the investigation was based Belgian Electronic Communications Act). was insufficient. • Non-compliance with the conditions for obtaining valid consent from users, namely by presenting users with pre-checked boxes on two websites, with partner companies’ cookies marked as ‘active’ by default (GDPR, Articles 4(11), 6(1)(a) and 7(1)). Published: 22-02-2023 Journal number: 2022/AR/953 Tags: 01 Legal basis and principles of processing 81

Our remarks • For the placement of cookies to be lawful, user or end user (such as cookies allowing the storage consent must be obtained prior to the placement of items in an online shopping cart or ensuring the of cookies. Consent may only be considered valid security of a banking application). if the conditions set out in the GDPR are met. This All other cookie placements or installations of other includes the requirement that the data subject tracking measures require the prior consent of the data provides consent in the form of a freely given, subject. specific, informed, and unambiguous indication of • When providing data subjects with information their wishes to agree to the processing of personal regarding cookies, as required by GDPR, Articles 12, data, as outlined in GDPR, Article 4(11). 13 and 14, be sure to include: • The owner of a website is responsible for the processing of cookies installed or read by its ° A complete list of the different types or categories of website. This responsibility may not be waived by cookies placed on the users’ devices. publishing a disclaimer on the website in question. ° Sufficient information on the criteria for determining • The case clarified that the use of statistical cookies the lifespan of the cookies placed on user’s devices does indeed constitute a processing of personal and the duration of retention of the data collected. data under GDPR in conjunction with the Belgian ° Information on the processing carried out by external implementation of the ePrivacy Directive. Therefore, partners and vendors. prior user consent is required when placing Note that all information must be provided in a statistical cookies with available IP addresses. transparent, understandable, and easily accessible • To observe the principle of storage limitation, manner. note that the lifespan of cookies must be directly • Withdrawing consent to the placement of cookies linked to the purpose for which it is used and must be as easy as it is to provide in the first must be configured to expire as soon as it is no place. The cookie management tools used on a longer necessary, considering the reasonable website must provide an effective mechanism for expectations of the data subject. withdrawing consent, after which the number of • Article 129 of the Belgian Electronic cookies placed should decrease. Communications Act contains two exceptions • Data protection authorities must obey procedural regarding user consent and cookie placement. rules. Even though their assessment of the As a main rule, the consent of data subjects must processing in question is correct, the case or be obtained prior to the placement of cookies on decision can be invalidated if procedural rules are their devices. This, however, is not required in the not followed. following two situations: • As the invalidation only happened due to the ° When the cookie is only intended to carry out the missing justification in the referral, the DPA’s transmission of a communication over an electronic assessment of the cookie solution is still relevant to communications network, or other data controllers as a takeaway. ° When the cookie is strictly necessary for the provision of a service explicitly requested by the subscriber 82

Family Service fined for unlawful consent practices Summary Decision of the Belgian DPA Family Service is an advertisement agency, offering so- The Belgian DPA imposed a fine of 50,000 EUR on Family called ‘gift packages’ for expecting parents, containing Service for the following violations: offers and samples of products and services. Expecting • Providing subscribers with a misleading impression parents can subscribe to the service, allowing Family regarding the use of their personal data when Service to pass on data to other entities. The gift subscribing to receive gift packages (GDPR, Article packages are distributed through a network of partners, 5(1)(a)). including hospitals and gynecologists. An individual filed a complaint with the Belgian Data • Retaining personal data for up to 18 years, which Protection Authority (DPA) after receiving targeted was deemed disproportionate, considering most advertising from an external company, which had of the offered products concerned infants (GDPR, obtained the complainant’s personal data from Articles 5(1)(c) in conjunction with Article 25). Family Service. The complainant claimed that she had • Failing to obtain free, specific, informed, and received multiple phone calls without giving her explicit unambiguous consent from data subjects, and consent to Family Service, and that these inquiries for processing data without the presence of a continued even after she had withdrawn her consent legitimate interest which could outweigh the and objected to receiving targeted advertising. interests of the data subject (GDPR, Articles 6(1)(a) Although the complainant had given her consent and (f)). while subscribing to the gift packages, the agreement • Failing to ensure that withdrawing consent was as failed to provide adequate information about how, to easy for data subject as providing it (GDPR, Article whom, and under which circumstances her personal 7(3)). data would be shared. As a result, the complainant was unable to make an informed decision about the • Failing to provide sufficient information to data intended use of her data, rendering her consent invalid subjects (GDPR, Article 13). and not freely given as required by the GDPR. • Non-compliance with the principle of storage Among other circumstances central to the case, limitation (GDPR, Article 5(1)(e)). Family Service had a policy of retaining personal data • Not taking the appropriate technical and about its subscribers for up to 18 years, when newborn organizational measures to secure the rights and children registered in the database would no longer freedoms of the data subjects, considering the be legally represented by their parents. Furthermore, nature, context, and purpose of the processing no record was kept of requests for rectification. Finally, activities in question (GDPR, Article 24). subscribers’ email addresses were intentionally kept even after data subjects had requested erasure to • The lack of processing agreements between Family ensure that no new accounts were created using the Service and one of their data processors (GDPR, same email address later. According to the DPA, these Article 28(3)). activities were against both the letter and the spirit of the GDPR. Published: 27-01-2021 Journal number: DOS-2019-04798 Tags: 01 Legal basis and principles of processing 83

Our remarks • When relying on consent as a legal basis, several • It is crucial for data controllers to provide adequate connected requirements must be met. One of these information to data subjects about the different is that data subjects should be able to give consent ways personal data may be processed, before to different processing purposes individually and after its trade. This includes clear information (granulated consent), rather than accepting about the categories of recipients of personal a single agreement where several processing data, allowing data subjects to identify partners purposes are ‘bundled’ together. Note also that of the data controller. When distributing products it must be as easy for the data subject to revoke through hospitals and gynecologists, it is possible their consent as it is to grant it in the first place. that individuals may get a misleading impression It is advisable to inform the data subjects of their about the entities involved. Specifically, they right to withdraw consent at the time of obtaining may perceive Family Service as a non-profit it. Once consent is withdrawn, the data controller organization or a governmental initiative rather must ensure that the data is erased, unless there than a private company that trades personal data. is another legal basis for processing the data. Therefore, companies should be transparent about Please consult GDPR, Articles 4(11) and 7 for more the advantages associated with the exchange of information on what constitutes valid consent personal data. under the Regulation. • Data controllers must consider the reasonable expectations and interests of data subjects when determining the validity of a legitimate interest as a legal basis, ensuring that the legitimate interest aligns with the expectations of the data subjects. Data controllers should refrain from using abstract language, but instead explicitly describe the activities for which personal data is processed, such as targeted advertising. This transparency is essential for data subjects to understand how their personal data may be used by other entities and to exercise control over their personal data. Please consult GDPR, Article 6(1)(f) for more information about legitimate interests as a legal basis. 84

Parking ticket control company fined for several GDPR violations Summary A company responsible for parking ticket controls • Failing to implement appropriate technical and issued a fine for illegal parking to an individual (‘the organizational measures, considering the nature, data subject’). However, the data subject claimed context, and purpose of processing (GDPR, Articles that he had never received the fine. He first learned 5(2) and 24(1) and (2)). about the fine when a debt collection agency sent The debt collection firm was fined 15,000 EUR for the him a reminder letter, which included additional fees. following violations: It was later discovered that this reminder letter was sent out just a day after the original fine was issued. • Requesting excessive amounts of information Thus, information about the data subject’s name and about the data subject (GDPR, Article 5(1)(c)). address had been processed unnecessarily during • Processing data without a legal basis (GDPR, Article the period in which individuals can pay the fine before 6). a reminder is sent, contrary to the principle of data • Failing to provide the data subject with adequate minimization in GDPR, Article 5(1)(c). information (GDPR, Article 12(3) in conjunction with The data subject contacted the parking control Article 14)). company, requesting information about the data • Failing to implement appropriate technical and being processed about him. When the request organizational measures, considering the nature, was not properly fulfilled—partly due to the data context, and purpose of processing (GDPR, Articles controller’s inaccurate instructions regarding the 5(2) and 24(1) and (2)). correct communication channels, and partly due to an incorrect interpretation of the exemption to the data Our remarks subject’s right to access. As a result the data subject • Data controllers must establish standardized filed a complaint about the data controller with the internal procedures to effectively accommodate Belgian Data Protection Authority (DPA). data subject’s exercise of their rights under GDPR. As separate data controllers, both the parking This involves providing the data subject with clear control company and the debt collection firm were information about to whom and using which investigated and sanctioned by the DPA. communication channels their right to access can be exercised. Decision of the Belgian DPA • Data controllers should remain cautious when The parking control company was fined 50,000 EUR for interpreting the exemptions to the rights of data the following violations: subjects. The restriction of data subjects’ rights is regulated in Article 13 of the Belgian Data Protection • Failing to comply with the data subject’s right to Act. These exemptions must be understood access (GDPR, Articles 14(1) and (2) in conjunction restrictively as they deprive the data subjects of with Article 12(1) and (3)). their rights to information, including information • Unnecessarily processing the personal data of the about the existence of other rights such as the data subject (GDPR, Article 5(1)(c)). rights to rectification, objection, or erasure. Published: 23-12-2020 Journal number: DOS-2019-02751 Tags: 01 Legal basis and principles of processing 85

Selected interesting cases – Belgium 06

EU DisinfoLab fined for processing and classifying tweets and Twitter accounts according to political orientation Summary In an effort to combat the issue of online fake news, a ° Not implementing sufficient technical and Belgian NGO called EU DisinfoLab undertook an analysis organizational measures within the non-profit of a large number of ‘tweets’ posted on Twitter now organization (GDPR, Article 32). concerning the “Benalla affair”. This criminal case involved a senior French security officer employed ° Not having carried out an impact assessment (GDPR, by the President of France. As part of their study, the Article 35). NGO categorized Twitter accounts according to users’ ° Not observing the principle of accountability (GDPR, political, religious, ethnic, and sexual orientations, with Articles 5(2) and 24). the aim of identifying the political affiliations of the Twitter users in question. The DPA imposed a fine of 1,200 EUR on an individual The study, published in 2018, included personal data researcher who was deemed the data controller for from over 55,000 Twitter accounts. The NGO performed the publication of the Excel file containing raw personal several processing activities for this study, including data, alongside the NGO. The researcher was fined for processing the publicly available information from the following violations: Twitter, as well as publishing an Excel spreadsheet • GDPR, Articles 5(1)(a), 5(1)(c), 5(1)(f), 6(1), 9, 12, 14, online, which contained the raw personal data and 32. extracted from Twitter. This spreadsheet was published in response to challenges regarding the integrity of the Our remarks study. • The public nature of personal data posted on Following more than 240 complaints from data social networks such as Twitter does not mean subjects, the Belgian Data Protection Authority (DPA) that such data is not protected by the GDPR. When launched an investigation in collaboration with its processing personal data obtained from such French counterpart, CNIL. platforms, the general principles must be observed, and an appropriate legal basis identified. Collaborative decision of the Belgian DPA • In cases where personal data is processed for and the French DPA journalistic purposes, exemptions to the GDPR may The DPA’s imposed a fine of 2,700 EUR on EU DisinfoLab apply. In the present case, the Data Protection for the following violations: Officer (DPO) acknowledged that the NGO was exempted from the obligation to individually inform • For activities related to the conduct of the study: the data subjects pursuant to GDPR, Article 14. This ° Not having a privacy policy (GDPR, Articles 5(1)(a), 12 exemption was granted to protect the integrity of and 14). the study. Nonetheless, the DPA concluded that the publication of sensitive personal data used in ° Not having carried out a balancing of interests (GDPR, the study, without proper pseudonymization, did Article 6(1)(f)). not have a legal basis. According to the DPA, the legal publication of such sensitive data without ° Not having contracts in place with data processors pseudonymization would have required the consent (GDPR, Article 28(3)). of the individuals concerned. ° Not having a record of processing activities (GDPR, Article 30). Published: 22-01-2022 Journal number: DOS-2018-04433 Tags: 01 Legal basis and principles of processing 87

Company fined for restoring data on a former managing director’s work laptop Summary Final decision of the Court of Appeal A former managing director of a private company The Court annulled the decision of the DPA. filed a complaint with the Belgian Data Protection Our remarks Authority (DPA) against his former employer. After being dismissed by the employer, the employee had • After the end of employment, the employer erased a substantial amount of data on his work maintains a legitimate interest in storing personal laptop before returning it to his former employer. The data about the former employee. This can be for employee claimed to have only erased his private several reasons: data, whereas the employer claimed that both private ° First and foremost, the employer may be required and professional data had been erased. During the by law, such as tax law, to retain certain personal investigation, the employer presented two employee data. Additionally (as in this case), the employer may testimonies stating that the former employee had have a legitimate interest in storing personal data deleted both private and professional email accounts. that could be relevant to potential legal proceedings, Due to a possible civil case between the former such as a claim for damages. employee and the employer, the employer restored • When deciding on the appropriate duration for the deleted data, resulting in the former employee retaining personal data about a former employee, invoking his right to erasure, restricting the processing a data controller should consider the time limits of his personal data, and objecting to the processing specified in existing laws. For example, in tort law, of personal data. The employer refused to comply with there is often a limitation period that defines the these requests based on the employment contract timeframe in which a claim can be made. between the parties, as well as referring to GDPR, After this period, there is no reason to store the Article 6(1)(f), which, in the employer’s opinion, justified personal data any longer. the processing of the personal data of the former • Data controllers should have practices and policies employee. in place for how to handle former employees’ The Belgian DPA Imposed a fine of 7,500 EUR on the data. It is advisable for companies to regulate the employer for processing the personal data of the scenario of resignation, dismissal, or any other former employee without sufficient legal basis. The form of termination of employee activity and its case was later appealed to the Court of Appeal. consequences in an internal instruction relating to the use of electronic devices. For example, The Court of Appeal found that the DPA had not fixed prohibiting the employees from using work e-mails the start date of the processing and failed to assess from sending personal mail. Thereby, one is not the legitimate interest of the employer in restoring and in doubt if the e-mails stored are work-related or processing personal data about the former director entirely private. Implementing a policy removes due to the possibility of a civil claim. any potential confusion around the classification of The Court found that the employer had a legitimate stored emails as either work-related or private. interest in restoring and processing the personal data • If e-mails are kept after the end of employment, of the former employee. access to them should be limited to a selected few trusted employees. Published: 07-04-2022 Journal number: DOS-2020-02892 (overturned by 2022/AR/549) Tags: 01 Legal basis and principles 88 of processing, 02 Right of access and obligation to provide information, 03 Right to erasure and rectification

CCTV operator fined for illegally installing cameras Summary Decision of the Belgian DPA An individual filed a complaint to the Belgian Data A fine of 50,000 EUR was imposed on the operator for Protection Authority (DPA) regarding the installation processing personal data without a valid legal basis of surveillance cameras in an apartment building by (GDPR, Article 6(1)). one of the owners. The complaint was filed against Mr. Z, the delegated manager of the company overseeing Our remarks the apartment building. Mr. Z was also responsible for • The case highlights the complexities of data privacy determining the placement and usage of the cameras and protection in the context of shared living during the initial construction and development phase spaces. In these circumstances, understanding of the apartment complex. the roles of various parties connected to the The complaint was not concerned with the use of administration of a living complex is crucial. The cameras but rather the fact that only Mr. Z had access identity and responsibilities of the data controller to the recorded camera footage. As a homeowner must be clearly defined. This is essential in order association was being established for the apartment for the rights of individuals under the GDPR to be complex, arguments were made that the role of data respected, for example in relation to the processing controller should belong to this association rather of personal data through the installment and than Mr. Z. Additionally, it was disputed whether Mr. Z monitoring of video surveillance systems. had carried out the surveillance activities in a lawful manner, particularly whether a legal basis could be identified. Mr. Z contended that the installation of surveillance cameras was in the best interest of the homeowners, claiming that their consent had been obtained through the signing of the purchase contracts which incorporated clauses related to security and home safety regulations. Despite Mr. Z’s claim that neglecting to provide such surveillance cameras would constitute a breach of his contractual obligations, the DPA determined that the necessary consent was not actually given, making the data processing unlawful. Published: 09-07-2020 Journal number: DOS-2019-02649 Tags: 01 Legal basis and principles of processing 89

Private individuals fined for installing video cameras on private property Summary Our remarks The Belgian Data Protection Authority (DPA) received • When installing surveillance cameras, the owner/ a complaint regarding three surveillance cameras operator is responsible for ensuring that the in a residential area. According to the complainants, principles of lawfulness, fairness, minimization, the cameras were filming “the entire property” where and transparency as outlined in GDPR, Article 5, the complainants resided. Additionally, one camera are observed. The purpose of processing personal was filming “the entire street” on which the property data in the context of surveillance must be clearly was situated. Images captured by the cameras were defined and align with a legitimate interest presented during an exchange between the parties recognized by the GDPR. relating to an environmental lawsuit, where also governmental representatives and traffic experts • The case offers procedural insights into scenarios participated. These images contained personal data as where private individuals are found to have the cameras captured individuals moving on the public breached GDPR obligations. The Belgian DPA sent a road and private properties. The complainants argued form to the defendants, allowing them to respond that the images not only provided evidence of the to a proposed fine of 2,000 EUR. The arguments unlawful recording of public roads and private property, presented by the defendant were taken into but also the unlawful transfer of these recordings to account by the DPA and ultimately resulted in a unauthorized parties. reduction in the amount of the fine. Notably, the Belgian DPA considered the financial situation of Decision of the Belgian DPA the defendant when deciding the final amount of the fine. The owners of the surveillance cameras were fined 1,500 EUR for not having a legal basis for transmitting images containing personal data to third parties (GDPR, Article 6(1)). Published: 24-11-2020 Journal number: DOS-2019-04412 Tags: 01 Legal basis and principles of processing 90

Music company wrongfully fined for management of musician’s social media fan page Summary Decision of the Court of Appeal The Facebook fan page of a musician was controlled by The Court of Appeal annulled the decision of the DPA, a music company through a contractual relationship. including the fine of 10,000 EUR. After termination of the management agreement, the musician wanted to reclaim control over the fan page. Our remarks The Belgian Data Protection Authority (DPA) issued an • The rights contained in the GDPR are considered order for the music company to transfer the page on fundamental for data subjects. However, these the basis of data portability. The case was brought rights must always be balanced with other rights, before the Court of Appeal who annulled the DPA’s such as intellectual property rights. In cases, such decision. as the present, where the personal data processing is limited in scope, the data controller’s legitimate The DPA revisited the case and issued a second interests may outweigh those of the data subject, decision, fining the music company 10,000 EUR for particularly when those are necessary for the not transferring the fan page after the musician had exercise of their intellectual property rights. exercised their rights to data portability and objection. The fine was imposed because the music company • This case illuminates the nuanced interplay was found to have used the artist’s name without their between GDPR provisions and pre-existing consent after the termination of the management contractual commitments. When establishing contract. contracts, especially those involving personal data and associated digital assets, clarity is paramount. The music company appealed the second decision, The dispute emphasizes the need to proactively arguing that their right to manage the Facebook page align GDPR-compliant practices with the specific was not based on the management agreement. Rather, terms of contractual agreements. In essence, it was based on the company’s exclusive license to ensuring that GDPR guidelines are embedded market and commercialize the artist’s music, which was within contracts, while respecting the essence of derived from various agreements with the artist and a existing rights and obligations, can be a critical step music producer. in mitigating such conflicts. The music company argued that the termination of the management agreement did not affect their rights to the Facebook fan page, and that it had a legitimate interest to control the page based on their intellectual property rights to the artist’s music. The second decision was once again brought before the Court of Appeal which annulled the decision, referencing an agreement which confirmed that the music company had exclusive rights to the commercial use of the artist’s name and image for a specified period of time. Published: 12-01-2021 Journal number: DOS-2020-01192 Tags: 01 Legal basis and principles of processing 91

Meta Platforms Ireland Ltd. fined for unlawful data processing Summary In 2018, a Belgian Instagram user filed a complaint To continue accessing Facebook and Instagram against Meta, alleging that Instagram’s processing services after the implementation of the GDPR, practices amounted to ‘forced consent’. The complaint existing and new users were required to indicate their was initially filed with the Belgian DPA, which referred acceptance of the updated Terms of Service by clicking the case to the Irish DPA. ”I accept.” Users who declined to accept would not be able to access the services. Similarly, an Austrian Facebook user complained about Meta, arguing that the processing practices on the Meta Ireland considered that by accepting the Facebook platform and the consent required to access updated Terms of Service, a contractual agreement the platform could not be considered ‘freely given’, in was established between Meta Ireland and the user. turn also constituting ‘forced consent’. The complaint It also argued that the processing of users’ data was filed with the Austrian DPA, who also referred the in connection with the provision of Facebook and case to the Irish DPA. Instagram services, including personalized services and behavioral advertising, was necessary for fulfilling that In both cases, the data subjects were represented by contract. Therefore, Meta Ireland maintained that such the Austrian Data Privacy NGO NOYB (None of Your processing operations were lawful under GDPR, Article Business). 6(1)(b), which designates the ”contract” legal basis for Prior to the GDPR entering into force, Meta Ireland processing. modified the Terms of Service governing its Facebook However, the complainants disputed Meta Ireland’s and Instagram services. As part of this change, Meta claims and argued that Meta Ireland was still seeking Ireland informed users that it was altering the legal to rely on user consent as the legal basis for processing basis used to legitimize the processing of their personal their data, contrary to its stated position. The data. Previously, Meta Ireland relied on user consent complainants contended that by making accessibility for processing personal data in relation to the provision to its services conditional upon accepting the of Facebook and Instagram services, including updated Terms of Service, Meta Ireland was effectively behavioral advertising. However, it sought to switch pressuring users to consent to the processing of their to the ”contract” legal basis for most of its processing personal data for behavioral advertising and other activities. personalized services, thereby violating the provisions of the GDPR. In October 2021, the Irish DPA issued a draft decision, which received objections from ten other DPAs. Subsequently, the cases were referred to the European Data Protection Board, which adopted a binding decision on 5 December 2022. The Irish DPA published the final decisions on 11 January 2023. Published: 11.01.2023 Journal number: IN-18-5-5 and IN-18-5-7 Tags: 01 Legal basis and principles of processing, 92

Final Decision Our remarks The two decisions in question were both issued by • When relying on the fulfillment of a contract as a the Irish DPA, which fined Meta 210,000,000 EUR legal basis, ensure that the processing is in fact for breaches related to its Facebook Service and necessary for the performance of the contract. 180,000,000 EUR for the breaches related to its Instagram service. The fines were issued for the ° The necessity of processing is to be determined by following violations: reference to a particular contract. In this case, the • Lack of a legal basis for the processing (GDPR, Irish DPA took a broad approach to determine what Article 6(1)(b)). The Irish DPA and EDPB addressed was necessary, based on “the nature of the services whether Meta could rely on the fulfillment of provided and agreed upon by the parties”. The a contract as the lawful basis for processing DPA then stated that “it seems that the core of the personal data. The Irish DPA agreed with Meta Facebook model is... an advertisement model”. The that processing was necessary for contract EDPB, however, argued that the main purpose of the performance, while the EDPB disagreed. The EDPB services was to enable their users to communicate highlighted that behavioral advertising was not with others. Additionally, the EDPB specified that the essential to the contract. understanding of necessity should be interpreted • Failure to provide meaningful information about the in a manner that fully reflects the objective pursued processing operations, making it impossible for the by the GDPR, stating that the draft decision by the users to understand what data was processed and Irish DPA posed a risk of potentially legitimizing any on what legal basis, as the information provided collection and reuse of personal data. was lacking in clarity and conciseness (GDPR, Articles 5(1)(a), 12 and 13). • In this case, the combination of factors, such as • Infringement of the principle of fairness as the ‘take the asymmetry of the information created by it or leave it’ model, which created a significant Meta regarding Facebook service users combined imbalance between the platforms and their users with the ‘take it or leave it’ situation that they (GDPR, Article 5(1)(a)). are faced with, was argued to be systematically Additionally, the DPA ordered META Ireland to bring its disadvantageous for Facebook service users, processing operations into compliance within a three- limiting their control over the processing of their month period. personal data and undermining the exercise of their rights. Besides the DPA decision, the EDPB directed the Irish DPA to investigate Facebook and Instagram’s data ° When assessing the contract between the controller processing activities in regard to special categories and data subject, ensure that the contract is not of personal data that may be processed by these asymmetrical by considering principles relating to services. This is, however, inconsistent with the processing of personal data in conjunction with the jurisdictional structure laid down by the GDPR, which data subject’s actual ability to exercise their rights. is why the Irish DPA considered it appropriate to bring an action for annulment before the European Court of Justice. It is therefore not clear whether such an investigation will be conducted. 93

Beverage company fined for using eID cards to create customer loyalty cards Summary The decision of the Belgian Supreme Court A customer lodged a complaint regarding the use The Supreme Court annulled the decision of the Court of loyalty cards by a beverage company. The loyalty of Appeal and referred it back to the Court of Appeal. cards were issued by reading the eID cards, which are The case is pending at the time of writing. the official national identification cards in Belgium for individuals. The complainant argued that the Our remarks company collected more information than necessary • When creating loyalty programs, one must observe when creating the loyalty cards, including clients’ the GDPR principles of data minimization by using social security numbers, gender, and date of birth. only necessary data, limiting retention time, and The complainant also argued that valid consent for using data for specific purposes shared by the processing this data was not obtained. data subject. For example, it is rarely necessary to Decision by the Belgian DPA process the social security numbers of customers The Belgian Data Protection Authority (DPA) found that for providing a loyalty program. the company had violated both the principle of data • If one wants to use consent for processing personal minimization and that the consent of their customers data one should consider the following: could not be considered ‘freely given’ in accordance ° Consider whether consent is required for each with the GDPR. The DPA imposed a fine of 10,000 EUR on processing step. If not, assess if one can use other the company. legal bases such as contract (GDPR, article 6(1)(a) or Court of Appeal legitimate interest (GDPR, article 6(1)(f)). The decision was appealed to the Court of Appeal of ° When seeking permission from (potential) customers, Brussels. They annulled the fine as they found that (i) ensure they have access to and understand your The new eID legislation could not retroactively apply. clear and detailed privacy policy before making a (ii) The fine lacked adequate justification. (iii) The shop choice. Active and voluntary consent is essential, owner did not process the data associated with the avoiding preselected choices or implied consent. complainant’s eID as the data subject had declined to People should have the freedom to choose whether provide it. to provide consent, except in cases where data is The DPA then appealed the decision from the Court of absolutely necessary. Appeal to the Belgian Supreme Court. ° To use the personal data of existing customers in The Supreme Court found that the Court of Appeal direct marketing (newsletters), explicit consent of Brussels failed to consider potential violations of may not be required. However, explicit consent is data minimization and freely given consent under the necessary for non-customers and other marketing GDPR. The Supreme Court also highlighted that the purposes such as profile building or data sharing with loss of benefits, like discounts, should be considered in partners. Obtain separate consent for these activities, evaluating freely given consent. They also affirmed the clearly stating the scope in the privacy policy. authority of the Belgian DPA to handle complaints even when no personal data has been processed. Published: 07-10-2021 Journal number: C.20.0323.N/1 Tags: 01 Legal basis and principles of processing 94

• Regardless of what legal basis you use, document your decisions and choices. Accountability is a key aspect of the GDPR, and you should be able to provide justifications and explanations for your actions at any given time. Maintain a comprehensive and detailed data register, as it is a fundamental obligation for nearly all data controllers. • Exercise caution when using eID card readers, especially when creating loyalty cards or engaging in customer promotions. It is advisable to avoid such practices if possible. If you decide to implement electronic loyalty cards, ensure that the software vendor you choose has adhered to the fundamental principles of data minimization and privacy by design during the software’s development. 95

Medical laboratory fined for several GDPR violations Summary Our remarks An individual filed a complaint against a medical • The case highlights a key aspect of the GDPR, analysis laboratory. The complainant alleged that the namely the accountability principle listed out in laboratory violated principles of confidentiality and GDPR, Articles 5(2) and 24 and the fundamental transparency. Specifically, the complainant argued that obligation of data controllers to clearly identify their the laboratory had not conducted a data protection responsibilities under the GDPR. If data controllers impact assessment, that inadequate information are not aware of the extent of their obligations, was provided to data subjects, and that sensitive the effective protection of data subjects will be personal data, namely health related information, was compromised. processed using an insecure website. • When special categories of information are The complainant had interacted with the laboratory processed, such as health data, appropriate multiple times for medical analyses and was informed technical and organizational measures should be that their doctor had electronic access to their test observed to protect the security and integrity of the results. However, the complainant discovered that the data. Complying with GDPR, Article 32, will require laboratory’s website, named ”Cyberlab,” had a page for additional measures in these situations, compared accessing medical analysis data using an unsecured to situations where sensitive data is not processed. HTTP protocol. Decision of the Belgian Data Protection Authority The DPA imposed a fine of 20,000 EUR on the medical laboratory for the following violations: • Failing to comply with the principles of confidentiality and integrity (GDPR, Article 5(1)(f)). • Not respecting the data subject’s right to information (GDPR, Articles 12-14). • Lacking adequate data security measures, such as two factor authentication (GDPR, Article 32). • Failing to carry out an impact assessment (GDPR, Articles 35(1) and (3)). Tags: 05 Data security Published: 19-08-2022 Journal number: DOS-2019-05244 96

Employer reprimanded for discussing sensitive personal data about an employee during internal HR meeting Summary Our remarks The HR team of a medium-sized public organization • This case offers significant insights about the scope held a meeting to discuss the dismissal of a senior of the GDPR and the admissibility of complaints. consultant, during which she was not present. The The employee had initially filed a complaint to the meeting referenced and cited paragraphs from a Belgian DPA based on the verbal statements made report conducted by an external service for prevention during the meeting. This complaint was rejected on and protection at work, documenting the employee’s the grounds that oral statements are not covered extended absence and indefinite incapacity to work as by the GDPR. However, when the employee based determined by the company doctor. her complaint on the minutes of the meeting and their availability on the public authority’s server, her The details discussed in the meeting were documented complaint was deemed admissible. in the minutes of the meeting, which were shared with all employees in the department, irrespective • When informing staff about personnel changes, of their attendance at the meeting. Furthermore, the written statements should be limited to factual minutes were posted on the organization’s Intranet, data while avoiding the disclosure of sensitive accessible to employees from all departments within personal data regarding the individual involved. the organization. If processing special categories of personal data, such as health data, data controllers must ensure Decision of the Belgian Data Protection that one of the legal bases provided in GDPR, Article Authority 9(2), applies to justify the processing as lawful. The Belgian Data Protection Authority issued a reprimand to the employer since it lacked the authority to impose fines on public organizations. Published: 09-02-2021 Journal number: DOS-2018-06125 Tags: 01 Legal basis and principles of processing 98

School fined for processing data about minors without parental consent Summary Final decision A Flemish educational institution introduced a well- A fine of 1,000 EUR was upheld due to the following being survey directed at its students who were minors. violations: The survey was carried out using a digital SmartSchool • Excessive processing of personal data in light of system, which processed the students’ personal data. the processing purpose, contrary to the principle of An individual filed a complaint with the Belgian Data data minimization (GDPR, Article 5(1)(c)). Protection Authority (DPA), claiming that the school was processing students’ personal data without parental • Lacking a valid legal basis (GDPR, Article 6(1)). consent and that excessive information was processed beyond the necessary scope, contrary to the principle • Failing to obtain parental consent for data of data minimization. The complainant also argued that processing related to minors (GDPR, Article 8). the school should have conducted a data protection impact assessment (DPIA) but failed to do so. Our remarks The school argued that the data processing was lawful, • Compliance with the principles set out in Article 5 referring to a legal obligation as the basis for their of the GDPR, particularly the principles of lawfulness processing activities. and data minimization, is crucial as they constitute The Belgian DPA ordered the school to bring its fundamental tenets of data protection. Collecting processing activities into compliance with the GDPR only the necessary and relevant data for the and issued an administrative fine of 2,000 EUR. The intended purpose and avoiding excessive retention decision was appealed to the Brussels Market Court periods is crucial. Violations of these fundamental and subsequently referred back to the DPA who provisions are likely to be considered as significant reduced the initial fine of 2,000 EUR. breaches by the DPA and may result in fines being imposed. Published: 06-10-2021 Journal number: AR/2021/576 Tags: 01 Legal basis and principles of processing 99

Selected interesting cases – Denmark 07

Publication of old club magazines Summary Our remarks A citizen complained to the Danish DPA that Jyllinge • The decision provides an example of how the Sejlklub, a sailing association, had published three of balancing of interests under GDPR, Article 6(1)(f) its club magazines from 1981 and 1982 on the internet, can favour the data controller. The Danish DPA which contained information about the complainant’s emphasized, among other things, that in this case: name, address, age, and picture, and that the 1. the data controller had a legitimate interest in association refused the complainant’s request for safeguarding, protecting, and informing about erasure of the information. its history in a natural context, The Danish Data Protection Agency’s 2. the club magazines had been available for decision almost 40 years, and The Danish DPA did not express criticism, as Jyllinge 3. the types of personal data in the magazines Sejlklub’s processing of personal data was carried out were of a very non-invasive nature. in accordance with the rules in GDPR, Articles 6(1) and • The decision serves as an example of when the 17. data subject may not exercise their right to erasure. In the opinion of the Danish DPA, the prerequisites for erasure, as outlined in GDPR, Article 17(1)(a-f), were not met. The DPA emphasized, among other things, that the data controller still needed to process the complainant’s information and that the data controller processed the complainant’s data on a lawful basis. The authority also emphasized that the complainant did not provide specific grounds that would override the controller’s legitimate interests in processing the complainant’s data under GDPR, Article 17(1)(c), and Article 21(1). Published: 08-06-2020, Journal number: 2019-31-2363 Tags: 01 Legal basis for processing and principles for processing 101

Processing of personal data in the context of online competitions Summary The Danish Data Protection Agency’s SmartResponse obtained consent from data subjects decision who participated in its online competitions to process The Danish DPA concluded that SmartResponse’s personal data for marketing purposes. Consent for this processing of personal data based on data subjects’ was obtained on behalf of SmartResponse and its 45 consent was carried out in accordance with GDPR, business partners. Article 6 (lawful basis). Contestants were asked to provide information and However, the Danish DPA expressed serious criticism were informed of the consent request on the same that SmartResponse’s processing of personal data page. They were made aware that their personal using the company’s internal ”no thanks” list had not data would be shared with 45 partners, and a link was been carried out within the framework of GDPR, Article 6. provided for information about these partners. The Danish DPA imposed an injunction on Participants were given the option to complete SmartResponse to delete the personal data included in additional questionnaires for more targeted marketing the company’s ”no thanks” list, as the data can only be information but it was not a requirement to participate temporarily stored to clarify whether a specific dispute in the competition. exists or arises. SmartResponse included a link to withdraw consent The Danish DPA expressed serious criticism that on each competition page which could be accessed SmartResponse’s storage of personal data for the regardless of whether they entered the contest (again) purpose of documenting consent was in breach of or not. Additionally, contestants received a confirmation GDPR, Article 5(1)(e) (storage limitation). email with information and a link to withdraw consent. Finally, the Danish DPA criticized that SmartResponse If contestants withdrew their consent, SmartResponse did not sufficiently comply with the obligation to inform recorded the contestants’ phone numbers and email under GDPR, Article 13, cf. Article 12. addresses on an internal ”no thanks” list. The data was stored for five years based on the limitation period in Section 41(7) of the Danish Data Protection Act. Published: 30-09-2022, Journal number: 2020-431-0075 Tags: 01 Legal basis for processing and principles for processing 102

Our remarks • It is worth noting that a link to SmartResponse’s • In this case, the conditions for the use of the partners provided sufficient information about their exception were not met. The information obtained partners within GDPR, Article 13. It has earlier been via questionnaires was not general customer unclear if this was enough to fulfill the obligation to information, as it included detailed personal data inform. such as the data subject’s mobile phone provider, • Regarding the processing and transfer of data TV provider, labor market affiliation, mortgage via questionnaires, SmartResponse relied on credit institution (if any), and electricity supplier. GDPR, Article 6(1)(f) (legitimate interest), and Therefore, the transfer did not comply with the the exception in Section 13(2) of the Danish Data balancing of interest rule. SmartResponse should Protection Act (transfer of general customer data have obtained consent before disclosing this for direct marketing purposes without the data information. Therefore Section 13(2) of the Data subject’s consent). When relying on the exception, Protection Act could not be relied on as the lawful two conditions must be met: basis for processing. ° It must be general (customer) information. • Under GDPR Article 7(1), the controller may retain the information regarding obtained consent ° The transfer must be in accordance with a balancing throughout the processing period for the purpose of interests under GDPR, Article 6(1)(f). of providing evidence, as per the requirements for legal consent. • In contrast, information on the withdrawal of consent may only be kept for a limited period, as there must be a genuine and present interest. This interest may be present for a limited period while it is determined whether a concrete dispute exists or not. The specific length of time for which the data may be kept must be based on a case-by-case basis. The Danish DPA determined that retaining a register of withdrawn consents for five years, in line with the limitation period in section 41(1) of the Data Protection Act is not necessary. Such retention would go against the principle of storage limitation outlined in GDPR, Article 5(1)(e). 103

Serious criticism for processing personal data about website visitors Summary The Danish Data Protection Agency’s The case originated from the Danish DPA’s decision on decision January 28, 2021, to investigate the website The Danish DPA expressed serious criticism that, until www.alstrom.dk, following a complaint. the start of January 2021, Alstrøm’s processing of During a visit to the website www.alstrom.dk 18 different personal data about website visitors on www.alstrom.dk cookies were placed on the visitor’s device before had not been carried out in accordance with the rules obtaining consent. in GDPR, Article 6 (legal basis for processing). Alstrøm used Google Analytics to generate statistical The Danish DPA criticized that, after January 2021, information about website visitors. Alstrøm’s processing of personal data about website visitors on www.alstrom.dk had not been in accordance The case concerned two consent solutions: with GDPR, Article 6. 1. The first involved a piece of text giving the The Danish DPA expressed serious criticism that website visitor the option to choose ”read more Alstrøm’s implementation of the consent solution, at the about cookies” or ”close”. beginning of January 2021, had not been in accordance This solution was replaced in January 2021 by a new with GDPR, Article 5 (processing principles), and one where: Article 6. 2. The ”Accept” button was in orange font on a white background, blending in with the white background of the consent solution, while the ”ACCEPT ALL” button was in white font on an orange rectangular background, as shown in the image below: Necessary/Technical Functional Statistical Marketing ACCEPT ACCEPT ALL SHOW COOKIEDETAILS Published: 20-10-2021, Journal number: 2021-431-0125 Tags: 01 Legal basis for processing and principles for processing 104

Our remarks • It’s important to ensure that cookies are not placed • Additionally, the colors for the ”accept” and ”reject” on a user’s device before they have accepted them fields should be carefully chosen. In this case, the and that all other conditions for obtaining valid Danish DPA stated that the ”Accept” field appeared consent under GDPR are met. For more information, inactive, while the ”ACCEPT ALL” field appeared see our section on the decision against Dating.dk of clear and distinct. This created a visual distinction 21 September 2021. between the two fields, potentially pushing users toward accepting all cookies. • When designing a consent solution, the wording used for accepting and rejecting cookies should be • If using Google Analytics, it should be set up in such carefully considered. Specifically, in this case, the a way that information about visitors to the website Danish DPA stated that ”Accept” and ”ACCEPT ALL” is not transferred to third parties outside of the EU. did not make it clear whether users could reject cookies. Instead, the data controller could have used ”Reject all cookies except necessary” and ”Accept all cookies”. 105

The dating service’s legal basis and personal data security Summary The Danish Data Protection Agency’s Dating.dk ApS (”Dating.dk”) was among the selected decision companies supervised by the Danish DPA in the fall of The Danish DPA expressed serious criticism that Dating. 2018. The planned supervision was aimed at the dating dk’s processing of personal data had not been carried service’s processing of personal data that took place out in accordance with the rules in GDPR, Article 6(1) in connection with users creating profiles and using (legal basis for processing general personal data), the service. The focus was on the dating service’s legal and Article 9(1) (prohibition against the processing of basis for processing and personal data security. special categories of personal data). Before the supervision, the Danish DPA sent a series of The Danish DPA ordered Dating.dk to bring their questions to Dating.dk. However, Dating.dk refused to processing of personal data about users in accordance disclose the number of users, considering it a business with GDPR, specifically Article 6(1), cf. Article 9(1) by secret. As a result, the police searched Dating.dk’s November 16, 2021. They also required Dating.dk to address enabling the Danish DPA to obtain the required submit a copy of their consent solution by the same information. deadline if processing continues Dating.dk’s consent solution was designed as follows: The Danish DPA also expressed serious criticism that The user would accept the Terms and Privacy Policy Dating.dk ApS processed personal data, including by checking the same box. Additionally, the user location information and special categories of personal should consent to the processing of personal data data, without demonstrating that the processing was concerning gender. conducted with regard to the risks to the data subject’s rights and freedom in accordance with GDPR, Article 32(1) and (2) (security of processing). Opret din gratis profil nu Sidste trin inden du er klar til møde alle de dejlige singler Jeg ønsker at modtage nyheder, tips, invitationer til events, konkurrencer og særtilbud på e-mail. Du kan altid afmelde disse e-mails igen. Jeg accepterer brugerbetingelserne samt persondatapolitikken Jeg afgiver hermed samtykke til behandling af oplysningen om hvilket køn jeg søger Opret min profil Tilbage Dating.dk's consent solution design During the audit, Dating.dk asserted that they did not process the personal data of a large number of users, as all profiles were anonymous, and users created a fictitious usernames. Furthermore, they stated that they did not process sensitive or confidential personal data unless users voluntarily provided such information in free text fields. Published: 21-09-2021, Journal number: 2018-41-0013 Tags: 01 Legal basis for processing and principles for processing 106

Our remarks • If you refuse to provide information about • When basing your personal data processing on the processing to the DPA on the basis that it consent of the data subject, this consent can be constitutes a trade secret, then it may lead to an given by the data subject ticking a box. However, investigation or search. you should pay attention to how your consent solution is designed. Here are some good rules of • If there is a service where users can be created, you thumb: will almost always process personal data about these users, such as a username or an e-mail ° In the consent solution, user Terms and Privacy address as the clear starting point constitutes Policy must not be accepted by ticking the same personal data. Regardless of whether a username box. Instead, they should be presented as separate or an email address in the specific case can be options and thereby allow the user to make a choice. characterized as personal data, you will always ° If both general and sensitive personal data process personal data in the form of users’ IP are processed, the user must consent to these addresses. individually. • You are a data controller for the personal data that ° If personal data is processed for multiple purposes, users provide in free text fields. This is the case even the user must also consent to these individually. if they are optional. • The Danish DPA thinks that dating sites process sensitive information about sexual relations or sexual orientation by virtue of being a dating site. 107

Næstved municipality: Public interest and cookies Summary The Danish Data Protection Agency’s In October 2020, the Danish DPA initiated an own- decision initiative case against Næstved Municipality regarding The Danish DPA criticized Næstved Municipality, in its processing of personal data about website visitors. connection with the processing of personal data about The website displayed the following text to visitors of the website visitors, which did not comply with GDPR, Article website: 5(1)(a) (personal data must be processed lawfully, fairly and in a transparent manner). ”This website uses cookies to improve your experience, to assess the use of the individual elements of the The Danish DPA also concluded that Næstved website, and to support the marketing of our services. Municipality’s processing of personal data about By clicking further on the website, you agree to the website visitors for statistical purposes was within the website’s use of cookies.” scope of GDPR, Article 6(1)(e) (processing is necessary for the performance of a task carried out in the public The basis for processing for Næstved Municipality’s interest or the exercise of official authority vested in the collection of personal data via cookies was stated as controller). GDPR, Article 6(1)(e) and was therefore for the purpose of performing a task carried out in the public interest, Our remarks including for the purpose of providing information about the municipality’s performance of municipal • The Danish DPA criticized Næstved Municipality for tasks. The purpose was pursued by, among other stating that cookies were collected for marketing things: purposes, even though this was not the case. Thus, • Maintaining the overall security of the website, for the data controller must ensure that their cookie example by identifying illegal and malicious traffic. information or a privacy policy accurately reflects the purposes of the personal data processing • Measuring the impact of communication efforts involved. based on data on the pages and links citizens use. • Public authorities may use their authority to The use of cookies on Næstved Municipality’s website perform official tasks as a legal basis for processing was set up in such a way that individual cookie data personal data by collecting statistical cookies, as set was collected by Siteimprove, which generated long as they can demonstrate that the cookies irreversibly anonymized statistics for the municipality. contribute to the performance of their tasks. In this case, measuring impact on communication and Siteimprove used Amazon Web Service (AWS) Frankfurt ensuring security on the website was within the task as a sub-processor, which was disclosed in the data of the municipality. processing agreement between Næstved Municipality • If personal data is processed for statistical and Siteimprove. The agreement ensured that personal purposes, it is good practice to anonymize the data data was only stored in the EU. AWS Frankfurt provided to ensure that personal data is not processed more guarantees in the agreements and publicly that this extensively than necessary. restriction would be maintained and that there was no • The Danish DPA concluded that Siteimprove did not transfer of data to countries outside the EU, including transfer to third countries in connection with its use the United States. of AWS. Published: 17-11-2021, Journal number: 2020-432-0047 Tags: 01 Legal basis for processing and principles of processing 108

Unauthorized access to video surveillance Summary The Danish Data Protection Agency’s An employee in Salling (Danish supermarket) allowed decision a former employee to enter the store through the staff The Danish DPA criticized Salling for not complying with entrance. The former employee was shown video GDPR, Article 33(1), as Salling did not report the security surveillance footage from the store, which included breach to the Agency until 10 days after the company images of the former employee’s ex-girlfriend shopping became aware of the incident. with a friend. Despite the incident, the Danish DPA concluded that The Danish DPA concluded that Salling’s processing Salling had taken appropriate organizational and of personal data had been carried out in accordance technical measures to ensure a level of security with GDPR, Article 32(1) on security, and Article 34(1) on appropriate to the risks inherent in the processing of notification of breaches to data subjects. personal data in question and that the company could not be held responsible for the incident in question. Our remarks In addition to many of the measures taken by Salling, A controller is not held liable for exceptional or the Danish DPA emphasized that an employee unforeseeable actions of employees that lead to a deliberately and against company guidelines violated personal data breach if the controller itself has taken the guidelines in several ways, such as giving a former appropriate organizational and technical measures. The employee access to the building. The Danish DPA also division of liability between employer and employee is concluded that the employee took several actions thus similar to the principal liability in tort law. that went beyond what Salling could reasonably be • It must be possible to document to the Data expected to have been prepared for or taken measures Protection Authority what measures have been to avoid. taken. This documentation must be easily The Danish DPA therefore only criticized the fact that accessible and must be produced within a Salling did not report the breach until 10 days after the reasonable time. company became aware of the incident. • The ISO/IEC 27001 standard can be a useful tool for ensuring and documenting proper information security. The standard is not in itself a requirement under the GDPR. However, it can be useful for many reasons and can also be a prerequisite for compliance with ISO/IEC 27701, which is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy protection and can be used to ensure compliance with the GDPR. Published: 18-06-2020, Journal number: 2020-441-4652 Tags: 05 Data security 109

Complaint about failure to erase Summary Our remarks A former employee complained about DMR A/S’s failure • According to the Danish DPA, if the data subject to delete video recordings and images of him that were withdraws his or her consent, erasure pursuant to included in a series of films on the company’s website, GDPR Article 17(1)(b) must take place immediately Facebook page, and YouTube. after the withdrawal. It is not specified how long this is, but in this specific case, three months was too On the 7th of June 2018, the complainant signed a long. consent declaration for the publication of images and videos. The complainant had authorized DMR A/S to • It can be difficult to remove a person from a video use video recordings of him for use on the company’s while maintaining the original quality of the video. website, in leaflets, newsletters, or other externally The Danish DPA did not appear to consider whether targeted informative material. significant resources are needed to remove a person from a marketing video or if the marketing On the 6th of September 2019, the complainant asked video becomes ineffective when a person featured DMR A/S to remove a film from YouTube in which he in it withdraws their consent. A data controller who appeared, as his employment relationship with DMR wants to produce marketing videos or the like should A/S had ended. DMR A/S replied that they would cut the therefore consider that a person who appears in the complainant out of all films. video based on his or her consent may demand that On the 10th of September 2019, the complainant wrote he or she no longer appears in the video. to DMR A/S informing them that he had still not been • If your company wants to use images or videos removed from DMR A/S’ commercials. DMR A/S stated for marketing purposes on the internet, it should the same day that the company was ”in progress” and consider the risk that it may have to delete the asked the complainant to be patient. video or cut a person out of the video, which could On the 17th of September 2019, DMR A/S informed the render it meaningless. complainant that he had now been removed from Considering this risk, we suggest the following should the employee film. On 11 December 2019, the Danish be considered: DPA nevertheless concluded that the complainant still appeared in a video on DMR A/S’s website and • If the processing is based on the legitimate on YouTube, after the complainant had contacted interests of the organization: Marketing is a the Danish DPA on September 27. The video was legitimate interest, so the basis for processing is not subsequently deleted. useless. However, a former employee will typically The Danish Data Protection Agency’s have a fairly strong interest in not appearing in a significant role in marketing material from a decision company that no longer employs them. Legitimate The Danish DPA seriously criticized the fact that DMR interests should therefore oftentimes only be A/S’ processing of the complainant’s request for used as a basis for processing in the case where erasure had not been carried out in accordance with individuals involved have a more discreet role in the GDPR, Article 17(1) (right to erasure). material, for example, an employee working in the background, or where participation in marketing is a natural part of the job of the individuals involved. Published: 18-05-2020, Journal number: 2019-31-2316 Tags: 03 Erasure and rectification 110

• If the processing is based on a contract with the employee: If the processing relates to an employee who has a more prominent role in, for example, a video, the organization may choose to enter into a contract with the employee instead of consent. This is likely to require, firstly, that the employee receives some form of payment for their participation. Secondly, there must be a written agreement to demonstrate that the processing is carried out based on a contract. • If the processing is based on consent: take into account the risk that one or more of the employees appearing in the material may have to be removed. 111

Gladsaxe Municipality: Court ruling in the Gladsaxe case Summary The Danish Data Protection Agency’s The case concerned a personal data breach in decision Gladsaxe Municipality, where four computers were The Court concluded that Gladsaxe Municipality had stolen from the municipality’s town hall. One of these not acted in breach of the principles for processing computers contained a spreadsheet with information personal data in GDPR, Article 5(1)(a), (b), or (c) on approximately 20,000 citizens. This information (processing principles). The processing had also been was not encrypted and the spreadsheet contained carried out in accordance with GDPR, Article 6(1)(f) information such as civil registration number, age, and (legitimate interest) and Article 9(2)(f) (processing gender. is necessary for the establishment of legal claims), Seven individuals subsequently sued Gladsaxe and Section 5(1) of the Danish Data Protection Act Municipality, claiming compensation for non-material (processing in accordance with purpose). damage under GDPR, Article 82. The individual The Court concluded that the municipality, as claimants had made claims in the range of DKK 7,500 data controller, had not complied with the GDPR’s and DKK 30,000. requirements for the security of processing within the meaning of GDPR, Article 32(1) and (2) (security of the processing), cf. Article 5(1)(f). After an overall assessment of the data security breach and in comparison, with the nature of the information on each of the applicants to which the breach related, there was no basis to conclude that the applicants had suffered damage that could justify compensation. Consequently, the Court held that there was no basis for awarding the applicants compensation under GDPR, Article 82 for non-material damage. Gladsaxe Municipality was therefore dismissed from the plaintiffs’ claim for compensation. Published: 11-05-2021, Journal number: BS-19120/2019-GLO Tags: 05 Data security 112

Our remarks • The Court concluded that GDPR, Article 82(1) must • The Court stated that the subjective feeling of be interpreted as including compensation for non- being infringed is not sufficient to award damages material damage. under GDPR, Article 82(1). Instead, it requires that • Collecting personal data on approximately 20,000 the unlawful act under data protection law has citizens in a single Excel sheet does not violate caused damage or imminent risk of damage to, for the principle of data minimization. Therefore, a example, reputation, loss of confidentiality, etc., or controller may collect large amounts of personal other consequences of a certain qualified nature. data in individual files if it is necessary to process Specifically, in this case, one of the citizens had DKK the data in the same document to fulfill a task. 95,000 stolen from his bank account. This loss was compensated, but the citizen’s fear of future misuse • Even if an employee breaches internal guidelines, of his information was not damage of a ”qualified” the controller can be accountable if the controller is nature according to the District Court’s assessment. aware that the unlawful act is being carried out. In • At the time of writing, this judgment is under appeal this case, employees of Gladsaxe Municipality were to the High Court. The legal position regarding prohibited from storing personal data locally on the compensation for non-material damage in computers, but at the same time, the municipality Denmark is therefore not carved in stone and can was aware that employees had to store the file probably only be considered definitively clarified locally to be able to work in it. when a similar judgment is delivered by the Court • The district court held that GDPR, Article of Justice of the European Union or the Supreme 82(1) provides for the possibility of awarding Court. compensation/indemnification to the data subject for damages that are not of a non-material nature. This may increase the disadvantages of being criticized, as the data controller will risk being faced with claims for compensation from the data subjects who have been affected by the unlawful processing, even if the Data Protection Authority does not issue a fine. 113

Transmitting sensitive information through text message Summary Our remarks During the evening of 2nd September 2021, a young • The Danish DPA is generally of the opinion that person approached Joannahuset, which is a child/ the transmission of sensitive data via transmitting youth crisis center offering shelter to young people. sensitive information through text message involves Joannahuset then contacted the young person’s a significant risk to the rights and freedoms of current foster home to obtain consent for the young data subjects. As with transmission by e-mail, the person to spend the night at Joannahuset. risk of transmitting sensitive information through text message via the Internet is at the ”high end of The Danish DPA was informed that Joannahuset had the scale”. The Danish DPA states that these risks previously been in dialogue with the young person and can only to a very limited extent be mitigated by had given him or her shelter. According to Joannahuset, measures taken by the data controller itself. the dialogue with the young person’s municipality of origin had previously been difficult. • In the specific case, the Danish DPA assessed that data protection requirements in special cases On this basis, the staff at Joannahuset assessed that must give way to other weightier considerations, in the specific situation, there was a particular need including, for example, the urgent need to to ensure that the identity of the young person and safeguard life and health in relation to particularly the identity of the person who gave consent from the vulnerable groups of people. According to the municipality were clearly established and could be Danish DPA, such relaxation of data protection documented. Joannahuset, therefore, requested the must be based on a specific assessment, and the municipality of origin to transfer the young person’s considerations must be documented. social security number via transmitting sensitive information through text message. The normal procedure for securely obtaining social security numbers thus deviated from fulfilling the young person’s urgent request for shelter. The Danish Data Protection Agency’s decision The Danish DPA did not overturn Joannahuset’s assessment in this specific situation, considering the young person’s best interests, arising in an acute situation and with limited possible solutions. This outweighed the consideration of the protection of personal data since the young person could have suffered a greater loss of rights if the transmitting sensitive information through text message in question had not been sent. Published: 27-04-2022 Journal number: 2021-431-0151 Tags: 05 Data security 114

Serious criticism for insufficient testing of a software update Summary The Danish Data Protection Agency’s In 2021, the University of Southern Denmark experienced decision a data breach after an update of an HR system, The Danish DPA seriously criticized the University of whereby the settings for rights management were Southern Denmark for not processing personal data in changed. Employees were assigned different roles in accordance with the rules in GDPR Article 32(1) (security the system which, depending on the employee’s work- of processing). related needs, would give them access to view content, including job applications, containing personal data. Our remarks Due to an error with the update, the existing • A controller’s responsibility to test updates that, management of rights was canceled, after which all for example, reset or change previously selected employees at the University of Southern Denmark, settings does not cease, even if the controller is i.e., 7011 employees, were given potential access to unaware of these features of the update. This applications from a total of 417 applicants. Of these, applies regardless of whether the lack of knowledge approximately 400 employees had an access-related is because the software vendor has not adequately need to access the applications. communicated this. The University of Southern Denmark had not tested the • Controllers should therefore seek knowledge about update on the test system before it came into force. The the consequences of updates themselves, even if university had a practice of 14 days of testing updates the software supplier may have provided adequate that lead to changes in roles and their associated information. functions, but this was not carried out in this specific case. This was due to the University’s lack of knowledge that the update would lead to changes of the nature in question. Published: 12-05-2022 Journal number: 2021-442-13989 Tags: 05 Data security 115

Sub-processor refused to provide data to the controller Summary The Danish Data Protection Agency’s A company, as a data controller, had engaged another decision company as a data processor. The data processor (A) The Danish DPA seriously criticized the sub-processor’s later entered into a data processing agreement with its processing of personal data, which had not been IT supplier (Data processor (B)), which then became a carried out in accordance with the rules in GDPR, sub-processor for the original data controller. Articles 6 (lawful processing) and 9 (processing of The sub-processor had refused to meet the data special categories of personal data) and Section 11 controller’s demand for the return of customer of the Danish Data Protection Act, cf. GDPR, Article 28 data with reference to the agreement in question, (requirements for data processors). including by challenging the data controller’s power of The Danish DPA issued an order to the data processor instruction. to disclose the data controller’s customer data. In addition, the data processor was prohibited from This picture explains the relationship between the processing the data controller’s customer data after parties: disclosure, unless this was done on the instructions of the data controller. Our remarks • A controller’s responsibility to test updates that, for example, reset or change previously selected settings does not cease, even if the controller is unaware of these features of the update. This applies regardless of whether the lack of knowledge is because the software vendor has not adequately communicated this. • Controllers should therefore seek knowledge about the consequences of updates themselves, even if the software supplier may have provided adequate information. Published: 07-02-2022 Journal number: 2022-431-0167 Tags: 04 Data processing agreements 116 and supervision of data processors and sub-processors

Criticism of failure to fulfill information obligations Summary Our remarks The case began when the Danish DPA became aware • Sharing information about a party’s key issues to of the Conservative political party’s processing of potential voters may constitute a legitimate interest personal data in relation to sending letters to selected that can serve as a legal basis for processing households about the European Parliament elections personal data in the form of names and addresses. and general election in 2019 following several specific inquiries in 2019. • The exception to the obligation to provide information in Article 14(5)(c), which allows for The Conservative Party collected the names and exemption when personal data is an explicitly addresses of selected recipients to send them letters established right according to Danish practice, about the party’s key issues. When asked to provide should be interpreted narrowly. For the exemption information to the data subjects (recipients of the to apply, legislation must explicitly state that the letters), the party stated that they were exempted obligation to provide information is exempted from from this obligation as the collection of names and the processing activity in question. addresses for the purpose of sending a letter is an explicitly established right under Danish case law and • In the context of sending letters, publishing does not override the interests of the data subject. information on the controller’s website does not fulfill the information obligation, as the controller is The Conservative party cited GDPR, Article 6(1)(f) not actively providing the information to the data (legitimate interest) as the basis for processing. subject. The Danish Data Protection Agency’s decision The DPA concluded that the Conservative Party’s processing of personal data was conducted within the framework of GDPR, Article 6(1) (legal basis for the processing of general personal data). The Danish DPA criticized that the party’s processing of personal data had not been carried out in accordance with the rules in GDPR, Article 14 (obligation to provide information when the data has not been collected from the data subject). Published: 22-12-2021, Journal number: 2019-431-0031 Topics: 02 Right of access and obligation to provide information 117

Authorization for municipalities to use the AI profiling Summary The Danish Data Protection Agency’s The Danish Data Protection Authority (DPA) was asked decision by the Danish Agency for Labor Market and Recruitment The Danish DPA assessed that in connection with the (STAR) to evaluate the legal basis for municipalities, use of the Asta tool, the municipalities’ legal basis including job centers, to use an AI profiling tool called for processing personal data would be GDPR, Article Asta. 6(1)(e), which requires implementation in national Asta used statistical methods and machine learning legislation, and Article 9(2)(g) if special categories of analysis to determine the risk that a recently personal data are also processed, such as health data unemployed citizen’s contact with the job center would about the citizens in question. be prolonged. Based on anonymized historical data Our remarks on the most recent years’ unemployment benefits cases to construct personal characteristics and show • Valid consent requires that it is given voluntarily. In the correlation between approximately 50 variable a situation where a municipality (job center) is the characteristics and the duration of contact with the job data controller and an unemployed citizen is the center. data subject, the power imbalance between the The characteristics included information from the parties is considered too great for consent to be citizen’s CV, such as language skills and job history, as given voluntarily. well as details such as gender, age, interpreter need • The lawful use of a profiling tool such as Asta and previous contact processes. requires the existence of a legal basis under The Danish DPA examined whether citizens’ consent national or EU law that foresees the processing of under GDPR, Article 6(1)(a) could constitute a data subjects’ data. The requirements for clarity of lawful basis for processing when using the tool but this legal basis depend on the intrusiveness of the determined that this was not the case. Instead, the DPA tool. In addition, it is still possible that processing concluded that GDPR, Article 6(1)(e) which addressed based on such a legal basis would require the the use of public authority could constitute the lawful individual data subject’s consent for the tool to be basis for processing. However, this legal basis is subject used in his or her case. to several requirements, including that the processing must be foreseen in EU law or national law. The stricter requirements for a national legal basis apply to more intrusive the processing activities. Published: 18-05-2022 Journal number: 2022-212-3676 Tags: 01 Legal basis for processing and principles for processing 119

The Chromebook Case 1 Summary Our remarks Helsingør Municipality provided Google Chromebooks • If you process personal data about children, to its school pupils giving them access to the G-suite you must be extra careful to ensure that your software package, which required the creation of a legal basis for processing is in order, as children school account with Google. To create these accounts have special protection under the General Data the pupils’ full names, schools, and grade levels were Protection Regulation. In this case, the Danish DPA transferred to Google, which also made the full names concluded that the legal basis for processing of of pupils with name and address protection available personal data under The Public Schools Act was not to Google products such as YouTube, of which the sufficient. Therefore, Helsingør Municipality should municipality was unaware. have either obtained consent from the pupils or A control panel was used to manage which programs their parents or ensured that no unnecessary pupils could access and how their information was personal data was shared with G-Suite. shared with Google. The Chromebooks with G-Suite were distributed based • It is not GDPR-compliant to label login credentials on the Public Schools Act so that the municipality did on computers, as the controller does not ensure an not consider it necessary to obtain consent from the adequate level of security by doing so. pupils’ parents. The case was initiated following two complaints to the • If different functionalities of a program package Danish DPA that Helsingør Municipality had created involve different processing activities and personal Google accounts for pupils without parental consent. In data flows, these functionalities must be risk addition, the complainants pointed out that the pupils’ assessed separately. As a rule, in situations where login details were pasted on the laptops, leaving them the personal data of children are processed in vulnerable to unauthorized access. complex technology, this will pose a high risk to The Danish Data Protection Agency’s the data subject. When sharing personal data decision with Google features, the risk assessment should consider that Google’s business model includes • The Danish DPA seriously criticized that the collecting personal data and using it for marketing processing of personal data by the Helsingør purposes. Municipality was not in accordance with the General Data Protection Regulation. • At the same time, attention must be paid to a • The Danish DPA issued a warning to Helsingør possible transfer to a third country when using municipality stating that using G-Suite’s add-on Google applications. Specifically, the Helsingør programs without carrying out a data protection municipality had entered into a data processing impact assessment would be a clear violation of agreement that ensured that data did not leave the the GDPR. EU/EEA. Therefore, the Danish DPA did not address • If the risk assessments showed a high risk to the the issue of third-country transfers. rights and freedoms of data subjects, and the risks had not been reduced to a level below high, the DPA would notify the municipality of a temporary restriction on processing operations. Published: 10-09-2021, Journal number: 2020-431-0061 Tags: 01 Legal basis for processing and principles for processing 120

The Chromebook Case 2 Summary decision In September 2021, the Danish DPA issued a decision • The Danish DPA issued a prohibition against the in which Helsingør Municipality was instructed to Municipality of Helsingør from processing personal conduct a new risk assessment of the processing of data using Google Chromebooks and Workspace personal data in primary and lower secondary schools for Education. The prohibition applied until the when using Chromebooks and Workspace Education municipality brought the processing activity into (formerly G Suite). The Danish DPA subsequently compliance with data protection legislation and assessed the content of Helsingør’s Municipality’s new prepared adequate documentation for this. risk assessment and whether the conditions for third- country transfers were met. • Any transfer of personal data to the United States Helsingør Municipality had prepared a TIA, adopted was suspended until Helsingør Municipality could the EU Commission’s standard contractual clauses, demonstrate that the rules in Chapter V of the and conducted a risk assessment regarding the use General Data Protection Regulation on transfers to of Chromebooks and Workspace Education. However, third countries had been complied with. the risk assessment was concluded to be incomplete • The Danish DPA severely criticized the fact that the as it did not address all potential risks, such as the municipality’s processing of personal data had risk of unauthorized access to personal data stored in not been carried out in accordance with GDPR, Chromebooks. Article 5(2) (accountability), cf. Article 5(1)(a) In its risk assessment, Helsingør Municipality (lawfulness, fairness, and transparency), Article acknowledged that Google may breach its contractual 24 (responsibility of the controller), cf. Article 28(1) obligations not to use the personal data for marketing (requirements for data processors), Article 35(1) purposes but assessed that the likelihood of that (impact assessment), and Article 44 (general happening was low. principle for transfers), cf. Article 46(1) (transfers The Municipality also ensured that personal data subject to appropriate safeguards). were only stored in data centers in the EU/EEA but acknowledged that personal data could be transferred Our remarks to third countries in support situations where Google’s US department would have access to the personal data in question. Helsingør Municipality argued that Google could not be subject to surveillance via FISA 702, as the personal data was not transferred by Google LCC, but to Google LCC for use in support services. However, the Danish DPA concluded this argument to be insufficient, as FISA 702 prohibits surveillance of US persons, but not surveillance of foreign individuals. This case relates to: Chromebook Case 1: Serious Criticism of Helsingør Municipality for incomplete risk assessment. Published: 14-07-2022 Journal number: 2020-431-0061 Tags: 06 Transfers to third countries 121 The Danish Data Protection Agency’s

Risk assessment • In a risk assessment, it is important to document • The Danish DPA has clarified that even if personal all the risk scenarios that may arise when using data is transferred to a US company through a given service (e.g., Google Workspace). In this Workspace, it could still be subject to monitoring case, Helsingør Municipality had not sufficiently under FISA 702, given the data pertains to Danish addressed how Google collected information citizens. Google LCC must therefore be considered about users and used it in other situations, such an ”electronic communications service provider”. as marketing and further distribution of this As a result, a data controller using Workspace information. would need to implement supplementary measures to comply with data protection regulations. • When conducting a risk assessment, data controllers must evaluate the use of data • These measures must generally be technical processors and ensure that they fulfill their measures, as organizational and contractual obligations under the data processing agreement. measures will not prevent US authorities from To verify this, the data controller may need to test accessing personal data. the online environments to ensure that personal • Although encryption is a useful technological data is not being mishandled or misused. measure for protecting personal data, it may not be • If there is a risk that the processor may engage effective in the context of FISA 702. If the recipient in unlawful activities, the controller must take of the data itself has access to the encryption key concrete technical or organizational measures this will not enhance the protection of personal to mitigate the risk - even if the likelihood of it data since FISA 702 may still require access to happening is low. personal data held by a US data processor. In such cases, the processor would be obliged to assist the Third country transfer authority in providing access to the personal data, rendering the encryption ineffective in preventing access to the data. Please note that this decision was made prior to the EU Commission’s adoption of the EU-U.S. Data Privacy Framework. The framework solves the challenges of the SCHREMS II case and thereby ensures that entities in the EU can transfer personal data to entities in the US that comply with the framework without conducting a TIA. However, general considerations concerning the transfer of personal data to other unsafe third countries still apply. 122

The Chromebook Case 3 Summary Our remarks The Danish DPA reviewed new documentation • When conducting a risk assessment or an impact submitted by Helsingør Municipality following assessment of a particular service, it is essential its decision on July 14, 2022, to prohibit Helsingør for the data controller to evaluate the entire Municipality from using Google Chromebooks for environment in which the service is provided. In the primary school education. case of Helsingør Municipality, it had only assessed how personal data was processed in Workspace A central issue in the case was that the Danish and had not considered how personal data was DPA believed that the use of Chromebooks and processed in the Google Chrome browser or Google Workspace generated personal data that Google used OS (the operating system for Chromebooks). for purposes such as marketing and f application improvement, which went beyond the purposes • When a data processor uses personal data to that Helsingør Municipality had assumed in their risk improve its own applications, it becomes an assessment, impact assessment, and data processing independent data controller for this processing. If agreement with Google. this is done for a public authority, a separate legal basis is required for the transfer of the personal For more information, see the two previous decisions, data, since the personal data is then carried out “Chromebook Case 1: Serious criticism of Helsingør for a purpose that goes beyond the legal basis for Municipality for incomplete risk assessment” and processing to fulfill public authority tasks. “Chromebook Case 2: The Danish Data Protection Agency imposes processing ban on Helsingør • When using contractual measures to mitigate risk Municipality”. with a specific data processor, it is important that the data controller is aware of the types of personal The Danish Data Protection Agency’s data that are being processed and when. In the decision data processing agreement with Google, Helsingør • The Danish DPA concluded that Helsingør Municipality had not contractually protected Municipality’s use of Google Chromebooks and the data that could be derived from the use of Workspace for Education to process personal data Chromebooks and Workspace. As a result, Helsingør was still not in compliance with GDPR. The DPA also Municipality had not minimized the risk of this concluded that the documentation prepared by the processing. municipality on 1 August 2022, did not conform with Please note that this decision was made prior to the Article 35(1) (impact assessment when using new EU Commission’s adoption of the EU-U.S. Data Privacy technologies) and (7) (minimum requirements for Framework. The framework solves the challenges of the impact assessment), as well as Article 36(1) (prior SCHREMS II case and thereby ensures that entities in hearing with the Danish Data Protection Agency). the EU can transfer personal data to entities in the US • The Danish DPA’s prohibition of 14 July 2020 was that comply with the framework without conducting a upheld. TIA. However, general considerations concerning the transfer of personal data to other unsafe third countries still apply. Published: 18-08-2022 Journal number: 2020-431-0061 Tags: 06 Transfers to third countries 123

The Chromebook Case 4 Summary personal data that was transferred to the provider. In July 2022, the Danish DPA imposed a ban on the use The municipality must also clarify whether it acted of Google Workspace in Helsingør Municipality, and in as an independent or shared data controller in August 2022, the DPA upheld the ban. each instance. Additionally, the documentation had to cover the entire technology stack used by Subsequently, the Helsingør Municipality had, in dialog Helsingør Municipality for processing the data. with the Danish DPA, identified several circumstances • The Danish DPA further ordered Helsingør where the use of Google Workspace, etc. was either Municipality to prepare an updated data impact not legal or where the risk to school pupils had not assessment based on all the risks identified by the been sufficiently identified and reduced. In light of this municipality during the documentation process, finding, the Danish DPA temporarily lifted the ban and in the eventuality that there were additional high, issued several orders to the municipality to ensure that non-mitigable risks. The order also included the use of Google Chromebooks and Workspace for consultation with the Danish DPA under GDPR, Education was in compliance with GDPR. Article 36. For more information, see the two previous decisions, • Finally, the Danish DPA ordered Helsingør “Chromebook Case 1: Serious criticism of Helsingør Municipality to submit a final, time-bound plan Municipality for incomplete risk assessment”, for legalizing any processing operations that were “Chromebook Case 2: The Danish Data Protection not able to be legalized before the deadline for the Agency imposes processing ban on Helsingør orders, which was set on 3 November 2022. Municipality” and “Chromebook Case 3: Danish Data Protection Agency upholds ban”. Our remarks The Danish Data Protection Agency’s • If a data impact assessment reveals that a specific residual risk to the rights of the data subjects decision cannot be reduced from a high to a low level, the • The Danish DPA’s prohibition to Helsingør controller has the possibility to consult the Data Municipality on August 18, 2022, was suspended Protection Authority. The DPA can then advise the until November 5, 2022. controller on how to reduce the risk. • The Danish DPA issued an order to Helsingør • If the use of a data processor is unlawful, it may Municipality to amend the in-depth agreement with be necessary to amend the data processing the data processor in such a way that the matters agreement. mentioned in the Agency’s decisions of July 14 and Please note that this decision was made prior to the August 18, 2022, as well as the material submitted EU Commission’s adoption of the EU-U.S. Data Privacy by the municipality on September 1, 2022, which Framework. The framework solves the challenges of the originated from the overall contractual basis with SCHREMS II case and thereby ensures that entities in the supplier, were brought into compliance with the the EU can transfer personal data to entities in the US GDPR. that comply with the framework without conducting a • The Danish DPA further ordered Helsingør TIA. However, general considerations concerning the Municipality to provide a detailed description of transfer of personal data to other unsafe third countries the data flows that took place and to identify the still apply. Published: 08-09-2022 Journal number: 2020-431-0061 Tags: 06 Transfers to third countries 124

Serious criticism for unintended changes to shared medical record Summary Our remarks On 13 August 2021, the Danish Health Data Authority • The case concerns a situation where several actors reported a personal data breach to the Danish DPA. This exchange data in a service-based architecture. The breach followed two other similar breaches reported in case specifically shows how a third party’s changes August 2020 and July 2021, respectively, which resulted to a system can lead to unintended changes in in the Danish DPA criticizing ”Region Hovedstaden” (the a system that was not the intended target of the capital region), as it was responsible for the Health change. Platform. • The Danish DPA emphasizes that the data The security breach occurred when a code change controller is responsible for testing all likely error in the platform unintentionally altered the Shared scenarios when developing or modifying software Medicine Record, causing the end date of dosing for that processes personal data, including when 267 individuals on the Shared Medicine Record to not changes are implemented by third parties. In these appear in the platform. The Capital Region of Denmark situations, clear agreements should be made is the data controller for the Health Platform, while the between all actors in the architecture of the system Danish Health Data Authority is the data controller for so that the controller can maintain control and the Shared Medicine Record. integrity of the system. This follows the requirement for appropriate organizational measures in GDPR, The Danish Data Protection Agency’s Article 32(1). decision • Personal data breaches must be notified to the The Danish DPA seriously criticized the Danish Health DPA without undue delay and, if possible, within Data Authority for not processing personal data in 72 hours, unless the breach is unlikely to result in accordance with the rules in GDPR, Article 32(1) (security a risk to the rights and freedoms of individuals. In of processing), and Article 33(1) (late notification of this case, the Danish Health Data Authority became personal data breaches). aware of the breach on 9 August 2021 but did not report the breach until 13 August 2021, which the Danish DPA deemed too late. Published: 22-06-2022, Journal number: 2021-442-14071 Tags: 05 Data security 125

University’s use of a monitoring program for online exams Summary Our remarks On 30 April 2020, the Danish DPA received a telephone • This decision thus serves as an example of the inquiry regarding the IT University’s (hereinafter ”ITU”) great importance of carrying out a concrete intention to monitor students’ computers during assessment of the risk for the data subjects in a home exam using a monitoring program called connection with certain processing operations, and ProctorExam. The program would record video, audio, that it can be demonstrated that the processing and screen activity, as well as browser search history fulfills the principles of Article 5 of the GDPR. on students’ computers during the three-hour exam. • Information on the processing of personal data To monitor compliance with the applicable rules, the must be clear, accessible, and transparent, with a recordings would be conducted through a Google method of delivery tailored to the specific group of Chrome web browser extension. data subjects. The Danish Data Protection Agency’s • For processing operations that are likely to result in decision a high risk to the individual’s rights and freedoms, it is essential to assess the potential risks before The Danish DPA did not criticize ITU’s processing of undertaking any processing activities. personal data and concluded that the processing was in compliance with GDPR, Article 5 of (principles for processing of personal data), Article 6(1) (lawful processing), and Section 11(1) of the Danish Data Protection Act (processing of personal identity numbers by public authorities for identification purposes). The DPA further concluded that the ITU’s processing for the use of ProctorExam complied with GDPR, Article 5(1) (f) (principle of integrity and confidentiality), Article 32 (security of processing), and Article 35 (data protection impact assessment). Published: 26-01-2021, Journal number: 2020-432-0034 Tags: 01 Legal basis for processing and principles for processing 126

FysioDanmark: Use of facial recognition system Summary The Danish Data Protection Agency’s The Danish DPA initiated an investigation into decision FysioDanmark Hillerød ApS’s (”FysioDanmark”) The Danish DPA issued a warning to FysioDanmark that concerning their proposed implementation of a it would probably violate the GDPR if FysioDanmark: biometric identification system. This system, which utilized facial recognition technology, was intended • for statistical and business optimization purposes, to regulate access to the company’s fitness center by processes biometric data for the purpose of both customers and employees. The system would uniquely identifying a data subject without collect direct and derived data for the purpose of obtaining consent from the data subject in optimizing business operations. accordance with GDPR, Article 9(2)(a) and According to FysioDanmark, the system would only • use the facial recognition system in the manner be used with the prior consent of customers and envisaged, as this would involve the processing employees. To regulate access, users’ photos would be of biometric data for the purpose of uniquely uploaded to an underlying database, and a camera at identifying a natural person on those individuals the entrance would scan faces to determine whether who have not consented to the processing, which they matched any of the photos uploaded in the is prohibited, as no exception can be identified in database. However, the system would scan a person’s GDPR, Article 9(2). face, regardless of whether they had given consent and was registered in the user database. Through the intended use of the system, FysioDanmark would process the biometric data for the purpose of uniquely identifying individuals, which in general is prohibited to process, cf. GDPR, Article 9(1), unless an exception to this prohibition can be identified in paragraph 2 of the article. The Danish DPA stated that the only possible legal basis for the intended processing would be consent, GDPR cf. Article 9(2)(a). It should be noted that in the decision, the Danish DPA only considered whether GDPR, Article 6 or 9 could form the basis for the proposed processing, and not any other data protection law issues. Published: 17-03-2022 Journal number: 2021-431-0145 Tags: 01 Legal basis for processing and principles of processing 127

Our remarks • The decision emphasizes that biometric data • Consent given by employees is not normally within the meaning of GDPR, Article 4(14) includes considered voluntary, given the unequal nature the processing of individuals’ facial images or of the relationship between the employer and fingerprint data. the employee. However, in this specific case, the • The Danish DPA clarifies that the data subject’s employee’s consent was considered voluntary for consent pursuant to GDPR, Article 9(2) is the only two reasons. Firstly, because employees had the possible legal basis for processing biometric data option of using an access card and code instead of the nature in question. However, if the data are of the facial recognition system, and secondly, to be used for different purposes, the data subject because the system only registered information is required to be able to give granular consent, i.e., about the employees in connection with his or to give separate consent for different processing her access to the center, and not about their purposes. This requirement can be met, for movements in the center in general. example, by allowing the data subject to specify • Use of the system would also require that the purposes for which he or she agrees to the customers and employees who did not wish to processing of data in a consent form. use the facial recognition system could avoid the processing in question by accessing the center. According to the Danish DPA, this can be accommodated by organizing the system in such a way that the system is only ’activated’ when a customer or employee who wishes to perform a face scan activates the system - e.g., by pressing a key. 128

DBA: Right to refuse a request for erasure Summary Our remarks A complainant had asked DBA (a secondhand • The correct legal basis for processing such as selling website) to delete his profile and associated that at issue in the case is GDPR, Article 6(1)(f) personal data. DBA refused the request because three (legitimate interest), and not Article 6(1)(d) (vital independent buyers on DBA had complained about interests), which DBA would otherwise have applied. the user and that DBA needed to keep his data to block future access to the platform. DBA stated that the • DBA’s legitimate interest in storing data relating to complainant had previously tried to circumvent the the data subject meant that neither the conditions blocking by creating new profiles with different email of GDPR regarding the right to erasure were met. addresses. • This case is an example of when other interests DBA emphasized that the storage and processing of overrule the data subject’s right to erasure. the data were necessary to protect the vital interests of buyers, and to assist the police with any investigations in the event of identification. The Danish Data Protection Agency’s decision The Danish DPA concluded that DBA was not under an obligation to erase the data in question pursuant to GDPR, Article 17(1) (the right to erasure). Published: 31-01-2022, Journal number: 2021-31-5439 Tags: Erasure and rectification 129

Selected interesting cases – from other EU member states 08

Consent-pay solution Summary Our remarks An Austrian newspaper had structured its online • A “consent or pay” solution can be legally viable if presence as follows: Users had to agree to so-called the following requirements are followed: ”marketing cookies” to access all articles available ° The user is provided with clear information on how online. Those who did not wish to consent to such the solution works. cookies were unable to fully access all the newspaper’s articles. Alternatively, users could opt for full access via ° Cookies are only placed after the user has made their an online subscription that cost EUR 6 per month. choice. It was contested whether this constituted freely given ° The content provided to the user should be consent, as the complainant argued that consent to comparable regardless of their choice. cookies and different marketing activities could not be ° The pricing should be proportionate in light of the deemed freely given if it is given to avoid a payment service. In this case, 6 EUR per month for a news obligation. website was deemed reasonable. The decision of the Austrian DPA • Cookie walls have previously been the subject of The Austrian DPA rejected the complaint and found that debate due to doubts about whether it is possible the “consent or pay” solution was in accordance with to do it in a way where consent is given voluntarily the GDPR. by the data subject. This decision confirms that cookie walls can be considered lawful if the user has an alternative to consent to cookies through paid access. • The decision is supported by two recent cases from the Danish DPA. In one of the cases, 4 EUR a month for access to the Danish equivalent to Craigslist was accepted. In the other case, a news media was criticized as it did not provide the same access to people that consented to cookies as to those who had a paid subscription. Published: 18-01-2022, Journal number: N/A Tags: 01 Legal basis and principles of processing 131

Lack of evidence of fraudulent use does not affect the classification of a breach Summary Our remarks In 2015, a payment service provider called SLIMPAY • One important technical measure that can help reused personal data from its databases for testing ensure compliance with Article 32 is logging server purposes as part of a research project on an anti-fraud activity. Server logs are records of all activity that mechanism, and the data was left stored on a server occurs on a server, such as who accessed the without proper security measures. This led to personal server, what data was accessed, and when the data being freely accessible by anyone from the access occurred. By logging server activity, data internet. controllers and processors can monitor and track potential security breaches, unauthorized access The database contained information such as civil attempts, and other suspicious activity. The data status and bank information (e.g., IBAN) related to controller will also be able to monitor which data around 12 million persons. In 2020, a SLIMPAY client potential intruders had access to during a personal reported the data breach, and SLIMPAY took measures data breach. to stop it and notified the French Data Protection Authority (DPA). However, SLIMPAY did not notify the • It is not a mitigating factor that a breach data subjects affected, even though they were in occurs due to human errors. On the contrary, possession of the contact information for about 6 organizational and technical measures should try million of the affected data subjects. to compensate for human shortcomings. In this case, no data subjects suffered any harm, which • The lack of evidence of fraudulent use of data SLIMPAY argued should indicate that no fine should be does not affect the classification of the security imposed on them. breach. This is because the risk of fraudulent use of personal data was real, regardless of The decision of the French DPA whether any cases of fraud occurred. The fact that many people’s data was made accessible to The French DPA imposed a fine of 180,000 EUR on unauthorized third parties was enough to create a SLIMPAY for not ensuring an adequate level of security risk. (GDPR, Article 32), and for failing to inform the affected data subjects of a data security breach • The data controller is only obliged to inform (GDPR, Article 34). the data subjects if the personal data breach is “likely to result in a high risk to the rights and freedoms of natural persons”. A personal data breach concerning financial information like IBAN constitutes a high risk for the data subjects, and therefore they should have been notified about the breach in this case. This notification should be sent directly to the data subject or can in some situations be done via public communication. The DPA notes in the case that, even though public communication would probably not be sufficient in this case, it would have been better than not doing anything at all. Published: 28-12-2021, Journal number: N/A Tags: 05 Data security 132

Is information about private relations sensitive personal data? Summary Our remarks Under the Lithuanian anti-fraud law, officials were • There is generally a prohibition against processing required to provide information about their spouse, special categories of personal data. Prior to cohabitant, or partner. such as full name, social security processing sensitive personal data, it is imperative number, place of employment, etc. An official contested to have a lawful basis in GDPR, Article 6(1), and to this requirement, arguing that the information he was meet one of the exemptions in GDPR, Article 9(2). required to give revealed sensitive personal details, as the sexuality of the official could be deduced from this • Personal data that is not sensitive in itself but information. can indirectly reveal information about sexual orientation is considered sensitive data. This can be The preliminary questions that were brought before The data like: Court of Justice of the European Union (CJEU) were the following: ° The full name of a partner that can reveal sexual orientation. 1. Is national legislation that requires online publication of name-specific data relating to an • It is a bit uncertain how this judgment should be official’s family members precluded by GDPR, applied in practice, but overall, it is advisable to Article 6(1) and (3)? initially to assess whether personal data being processed includes any information that reveals 2. Is personal data that can indirectly reveal sensitive personal data. The data controller needs the special categories of a natural person to evaluate if they process any regular types of considered special category data under the data that can reveal special types of information. GDPR? • The judgment could also be a prompt to rethink The decision of the European Court of Justice your erasure policy, as potentially more personal data can be considered to be sensitive personal The CJEU found that national legislation that requires data. online publication of name-specific data relating to an official’s family members or other close individuals is precluded by GDPR, Article 6(1)(c) and (e) and Article 6(3). The CJEU also ruled that the publication of personal data which indirectly discloses someone’s sexual orientation constitutes the processing of special categories of personal data under GDPR, Article 9(1). Published: 01-08-2022, Journal number: N/A Tags: 01 Basis and principles of processing 134

Grindr preliminarily fined for 100 million NOK for consent solution Summary The decision of the Norwegian Data The Norwegian Consumer Ombudsman complained to Protection Authority the Norwegian Data Protection Authority (DPA) about In the preliminary decision, the Norwegian DPA fined Grindr LLC’s (’Grindr’) processing of users’ personal Grindr 100 million NOK for having: data, including, for example, information on users’ • Shared personal data with third-party advertisers sexuality and location. The Ombudsman’s complaint without a legal basis for the processing (GDPR, centered on Grindr’s consent solution and the fact Article 6(1)). that the user’s personal data was shared with a large number of third-party advertisers, which was not clear • Shared personal data with third-party advertisers to the user. without a valid exception (GDPR, Article 9(1)). Grindr is the world’s largest social media platform for Our remarks people in the LGTBQ+ community, with 13.7 million users The consent solution worldwide and approximately 17 thousand users in Norway. • If consent is to be used as a basis for processing, it Grindr’s consent solution worked in such a way that is important to observe the requirements for valid the user was first presented with Grindr’s entire privacy consent, including that it constitutes a freely given, policy, after which the user could choose whether to specific, informed, and unambiguous indication of continue. Next, the user was asked if he or she wanted the data subject’s wishes. To fulfill the ”informed” to accept the data processing by clicking ”accept”. criterion, the data subject must be adequately Users could avoid having their personal data shared informed of the processing purposes pursued and with third-party advertisers if they upgraded their the activities carried out. This is achieved in the accounts and paid a monthly fee. following ways: ° The data subject separately gives consent for each Grindr’s defense in the case was that the company processing purpose. In this case, the user consented could not be held responsible for the consent standards to several different processing purposes with one that had just been published by the European Data click. Protection Board. In response, the Norwegian DPA ° The information provided to the data subject is stated that Grindr’s consent solution had been illegal presented clearly and concisely. In this case, the since the implementation of the GDPR in 2018 and that user was presented with the entire privacy policy at the rules on consent as a basis for processing ordinary once, where Grindr should have highlighted essential personal data had not been substantially changed information such as whom the personal data was since the 1995 Data Protection Directive. shared with. The above resulted in a preliminary decision, to which ° The data subject must not be harmed by not giving Grindr could make their final submissions before the consent or by withdrawing consent. In this case, the Norwegian DPA issued a final decision. user could pay NOK 3,240 per year to use the app without the personal data being shared with third parties. According to the Norwegian DPA, this was enough for the data subject to suffer harm by not giving or withdrawing consent. Published: 24-01-2021, Journal number: 20/02136-5 Tags: 01 Basis for processing and principles of processing 135

° For more information on the requirements for valid • In this context, it is interesting to consider whether consent, you may wish to read the EDPB’s guidelines these circumstances would be considered by a on consent. court to be so serious that data subjects would • It is also relevant to consider the types of personal be able to obtain damages from Grindr, if such an data being processed. Even if one does not directly action were to be brought. process information about the sexuality of the data • According to German and Austrian courts, harm subject, the processing could probably still fall does not have to be economic, but it must be under Article 9 of the GDPR if, in cases such as the objectively significant and involve social or one in question, sensitive personal data could be personal consequences for the data subject, such inferred from knowing which community the data as negative public exposure or humiliation. subject belongs. • It is not inconceivable that this could be the case • The fact that a person creates an online (dating) if this information came into the possession of profile with millions of users does not automatically unauthorized persons - especially considering the mean that sensitive personal data from that profile Norwegian DPA’s premise that Grindr is considered can be processed under the exemption in Article a ”safe space” for people in the LGTBQ+ community. 9(2)(e), even though it says that sensitive personal data made public by the data subject himself can ° If the offense could give rise to a claim for damages, be processed. it is interesting that the case involves a large number of data subjects, each of whom could potentially The imposition of a fine claim damages. This could pose a serious financial threat to Grindr if the Norwegian DPA even ends up • When calculating the fine, the nature of the offense upholding the NOK 100 million fine. may be considered. A larger fine is likely to be imposed if many people have unlawfully accessed ° It is an aggravating circumstance if the data personal data and if the unlawful processing has processor has made money from unlawful taken place over a long period. processing. This takes into account what other fines have been imposed in Europe in similar cases, where, • It is important to consider the types of personal for example, Google was fined EUR 50 million in 2020. data that have been processed and how they When you have monetized unlawful processing, the interact with each other. In this specific case, the supervisory authority in question will probably often Norwegian DPA considered it an aggravating find that the unlawfulness is committed intentionally, circumstance that information about users’ which will also be an aggravating circumstance. sexuality, together with their exact location, was shared, as this constituted a threat to the data ° Finally, it is interesting that the Norwegian DPA subjects’ freedoms. According to the Authority, recognized the COVID-19 situation as a mitigating this should be seen in the context of the fact that circumstance regarding the amount of the fine. Grindr is considered a ”safe space” for people in the LGTBQ+ community and that those in the community are particularly concerned that others do not have access to this information. 136

SCHREMS II Summary Our remarks The case was brought by Max Schrems, an Austrian • Before transferring personal data to a third country privacy activist, who challenged the transfer of his like the US, one should assess the risk of the transfer personal data by Facebook Ireland to servers located and evaluate the adequacy of the protection in the United States. Schrems argued that U.S. laws did offered by the recipient country. This is done not provide sufficient protection for the personal data through a Transfer Impact Assessment (TIA). We of European Union citizens, and that EU citizens had no have made a roadmap for doing this, which you effective legal remedies in the U.S. courts. can read here. The case was referred to the Court of Justice of the • When assessing the adequacy of the level of data European Union (CJEU), which examined the legality of protection in the third country, the following needs the transfer of personal data from the EU to the United to be assessed: States under the EU-U.S. Privacy Shield Framework. ° The adequacy of the legal framework. This can The decision of the European Court of Justice involve assessing the comprehensiveness of the legal framework, as well as the enforcement mechanisms In its ruling, the CJEU invalidated the Privacy Shield, in place to ensure compliance. finding that it did not provide adequate protection for the personal data of EU citizens transferred to ° The practice conducted by the legal entities of the United States. The Court stated that U.S. laws did the country. For example, should the possibility not offer EU citizens adequate protection from U.S. of government surveillance be conducted. This intelligence agencies, and that EU citizens had no can involve evaluating the legal framework for effective legal remedies in the U.S. courts. surveillance, as well as any known instances of government surveillance or censorship. • At the time of writing the agreement the transatlantic data transfer agreement, named the EU-US Data Privacy Framework (DPF), has been approved by the European Commission. This means that entities in the EU can transfer personal data to entities in the US that comply with the framework without conducting a TIA. However, general considerations concerning the transfer of personal data to other unsafe third countries still apply. You can read more about it here:safe third countries still apply. You can read more about it here. Published: 16-07-2020, Journal number: C-311/18 Tags: 06 Transfers to third countries 137

Deliveroo fined 2.5 million EUR for not informing about automated processing Summary Our remarks An Italian food delivery company, Deliveroo, used • Using AI technology to score an individual based on AI technology to manage their couriers’ ability to personal data constitutes profiling. To ensure that choose shifts. Shifts between 19:00 and 21:00 on the profiling is compliant with the GDPR, you must Fridays, Saturdays, and Sundays (called ’super peak’ inform the data subject clearly and in language shifts) paid higher wages and were therefore more that is clear and easy to understand, and includes popular. The courier with the best score had priority in the following: booking shifts. A bidder’s score was based on previous participation in super peak shifts, how many times they ° That the profiling is taking place. had canceled a booked session, and how quickly they ° What data is used for profiling. delivered orders. A bidder could see its score but could not see how it was calculated. ° How the technology behind the profiling calculates the results. The decision of the Italian Data Protection ° That the data subject is allowed to object to the Authority outcome of the profiling. The Italian Data Protection Authority fined Deliveroo 2.5 million EUR for failing to ensure sufficient transparency ° That the AI technology is only fed with the data (GDPR, Article 5(1)(a)), and for not implementing necessary to achieve the desired output. appropriate measures to safeguard the data subject’s • When performing profiling via AI technology, a rights in relation to profiling (Article 22(3) of the GDPR). data impact assessment should always be carried out beforehand, testing the technology for bias to ensure that the profiling arrives at a correct result and is not discriminatory. Published: 22-07-2021, Journal number: 9685994 Tags: 01 Legal basis for processing and principles of processing 138

Meta tracking tools found to breach EU rules on data transfers Summary Our remarks An Austrian local news website used tracking tools • When using pixels, the collection and processing made by Meta in August 2020. This included the use of of personal data occurs. Therefore, the applicable cookies (for the use of ”Facebook Login”) and pixels (for rules regarding legal basis, erasure, transfer to third ”Facebook Pixel” for tracking purposes). countries etc. should be considered. Cookies are small files stored on the users device or in • It is crucial to ensure that the marketing tools their browser, whereas pixels are pictures the size of 1x1 purchased comply with the rules regarding the pixels which are also stored in the user’s browser and transfer of personal data to third countries, as these can thereby collect a various amount of data usable for services are often supplied by American vendors. marketing purposes. • One way to solve the issue of using services that In the case it was established that the news website constitutes illegal transfers to third countries is to was data controller for the processing and the data anonymize the data before it is transferred to the processed via the pixels and cookies were personal third country. For instance, this is possible to do with data. This information included IP-addresses, User a reverse proxy server when using Google Analytics. agent, User ID, etc. The French DPA has made a guide on how to set this up. The personal data processed by the tools was then transferred to the USA. • At the time of writing, the EU and US have reached a preliminary agreement on a new transatlantic data The Austrian DPA incorporated Meta’s transparency transfer agreement named the EU-US Data Privacy report in their assessment of the case. They used Framework (DPF). However, other EU institutions it among other things to show that personal data need to review and examine the agreement regarding Austrian citizens was subject to surveillance before it can be officially adopted. Assuming by American entities. the framework is approved, the USA would be considered a safe third country, eliminating the The decision of the Austrian DPA challenges described in this case. The Austrian DPA found that the use of Facebook Tools Please note that this decision was made prior to the in the specific situation was illegal as there was no EU Commission’s adoption of the EU-U.S. Data Privacy legal basis for transferring data to the USA (GDPR, Framework. The framework solves the challenges of the Article 44). SCHREMS II case and thereby ensures that entities in the EU can transfer personal data to entities in the US that comply with the framework without conducting a TIA. However, general considerations concerning the transfer of personal data to other unsafe third countries still apply. Published: 16-03-2023, Journal number: GZ: D155.028 - 2022-0.726.643 Tags: 06 Transfers to third countries 139

Italian DPA bans Chat GPT Summary ChatGPT is the best known among relational Artificial • The information provided to the users might be Intelligence (AI) platforms that are capable of factually incorrect, possibly constituting processing emulating elaborate human conversations. The of inaccurate personal data. platform is developed by OpenAI, who trained the • The lack of a user age verification mechanism model on a large body of text gathered from various exposes children to receiving a service that is sources. In just a few months, the platform has inappropriate to their age and awareness. amassed more than 1 billion users. As the number of use-cases for platforms like ChatGPT are predicted to Additionally, the Italian DPA launched an investigation be almost unlimited, the regulatory response to the on the matter. massive success of the platform has gathered great attention throughout the EU. A few weeks later, the Italian DPA gave OpenAI a ‘to-do list’ for the DPA to lift the suspension order. OpenAI had The decision of the Italian DPA to: The Italian DPA imposed an immediate temporary • Become transparent and publish an information limitation on the processing of Italian users’ data by notice detailing its data processing. OpenAI for the following alleged violations: • Immediately adopt age gating to prevent minors • The service fails to provide users and data subjects from accessing the platform (and later implement with transparent information about the processing more robust age verification measures) of their personal data, • Clarifying the legal basis it claims for processing • There appears to be no legal basis underpinning people’s data for training its AI models. the massive collection and processing of personal • Provide ways for users and non-users to exercise data used in ‘training’ the algorithms on which the rights over their personal data. platform relies. The ban has since been lifted, but the investigation continues. Published: 30-03-23, Journal number: N/A Tags: Legal basis for processing and principles of processing 140

Our remarks • The swift and comprehensive action from the Italian • On a GDPR note, one should always remember to DPA shows great regulatory attention in the field of enter into a data processing agreement and carry AI powered platforms such as ChatGPT. out a risk assessment before using services like • Besides the Italian DPA, supervisory authorities in ChatGPT, if personal data is shared with the AI. both France, Germany, Ireland, Canada and South • If a data controller processes personal data using Korea have initiated investigations into OpenAI’s AI, it is important to assess whether the processing practices. falls within the scope of Article 22 of the GDPR, • Additionally, the EDPB has launched a dedicated regarding “Automated individual decision-making, taskforce to “foster cooperation and to exchange including profiling”. This article provides the data information on possible enforcement actions subject the right not to be subject to decisions conducted by data protection authorities”. “based solely on automated processing, including profiling, which produces legal effects”. • With the widespread commercial success of • Regarding the obligation to inform about Artificial Intelligence powered platforms, and processing personal data in AI, please refer to the the ongoing warnings from academics and case “Italian Deliveroo was fined €2.5 million for not professionals, the regulatory framework of informing about the automated processing”. platforms such as ChatGPT are highly disputed. • The ongoing controversy surrounding the platform also illustrates the need for a comprehensive legal framework for artificial intelligence in general. It remains to be seen if the upcoming EU AI Act will claim that role. 141

Pseudomized data might not be personal data if the recipient has no means of re-identifying the data subject Summary The decision of the Court of Justice of the As a part of a creditor hearing concerning the European Union (CJEU) resolution of a bank, the public authority known as the The Court decision did not examine whether the Single Resolution Board (SRB) sought comments from answers to the questions themselves could be individuals through an electronic form. To streamline considered as personal data. The Court emphasized the process, SRB outsourced a part of the work to a that the classification of personal opinions as third-party private entity, Deloitte. Before the transfer personal data should not be automatic and must be to Deloitte, SRB ensured that Deloitte had no means contingent upon specific circumstances. These include of re-identifying the data subjects by dividing the evaluating the content, purpose, and effect of the workflow into different phases. In the first phase, the opinion to determine whether it can be attributed to an SRB replaced the names in the forms with a 33-digit identifiable individual. The Court limited its examination alphanumeric code and filtered, categorized, and to whether the information transmitted to Deloitte was aggregated all comments so that commenters could personal data. not be distinguished. SRB then entered the second phase, which involved a transfer to Deloitte. The data The Court annulled the EDPS’ decision based on the was placed on a virtual server separated from the following arguments: data gathered in the registration phase, to which only • The EDPS should have assessed whether the directly involved Deloitte employees were granted comments constituted personal data from access. Deloitte’s perspective, stating that merely The alphanumeric code was developed for audit examining whether it was possible to re-identify purposes to verify and if necessary, to demonstrate that the authors of the comments from the SRB’s each comment had been handled and duly considered perspective, was insufficient. in the hearing process. • The CJEU stated that the EDPS should instead have Five complaints were issued to the European Data determined whether the possibility of combining Protection Supervisor (EDPS), arguing that SRB did not the information that had been transmitted to the fulfill its obligations to inform the data subjects on the third party, with the additional information held transfer, as the SRB privacy policy did not mention any by the SRB, constituted a means likely to be used such transfer. by the third party to identify the authors of the comments. The EDPS decided that SRB did not fulfill its obligations regarding the transfer of personal data to the data subjects, as the data in question was pseudonymized personal data, and SRB retained the necessary information to decode the data. On the other hand, SRB claimed that the assessment of whether the data transmitted to Deloitte constituted personal data, relied on a ‘risk of re-identification’. In this regard, SRB argued that Deloitte did not have any lawful means of accessing the information required for re-identification, making the risk of re-identification reasonably unlikely. Published: 26-04-23, Journal number: T-557/20 Tags: 07 Scope of the GDPR 142

Our remarks • When determining whether data qualifies as • If pseudonymized personal data is shared with personal data, it is essential to consider the a recipient who is effectively incapable of re- perspective of the data recipient. identifying the individuals, the data might be considered anonymous, thereby no longer • The ability of the data transmitter to re-identify considered personal data. the data subjects does not affect the recipient’s classification of the transmitted data as personal ° Consider what steps to take to ensure that the data and does not automatically render the data receiving party has no legal means to personal for the recipient. re-identify the data subject. In this regard, both organizational and technical measures should be considered. The less likely the receiving party is to be able to re-identify the data subjects, the more likely the data is to be considered non-personal. 143

Meta fined 405 million EUR for not handling teenagers’ data appropriately Summary Our remarks Instagram allowed teenagers aged between 13-17 • Meta’s financial gain from the infringement was to create business accounts whereby the children’s decisive for the outcome of the case and the size of contact information was publicly available by default. the fine. The case was brought before the European Data • The case is a reflection of Better Internet for Kids Protection Board as the Irish DPA, as lead supervisory strategy (BIK+). The European Better Internet authority, triggered the dispute resolution procedure for Kids strategy (BIK+) is an initiative focused concerning the objections raised by several concerned on creating a safer and more positive online supervisory authorities. The final decision was adopted experience for children and young people. It aims to by the Irish DPA. raise awareness about online risks, provide tools for protection, foster resilience in dealing with negative The question in the case was whether Meta had a experiences, and advocate for effective policies to legitimate interest in disclosing the personal data of ensure child safety online. The initiative has been the children, as they used this as the legal basis for adopted by several countries and international processing the personal data. organizations such as UNICEF. Binding decision from Irish DPA • A data controller should be aware of how The Irish DPA found that Meta did not have any valid information about the data subject is provided, basis for making their personal data publicly available. when they know they have young users. A good tip Therefore, Meta was fined 405 million EUR. here is to use age filters. Another way to encounter the challenges, for example, is that TikTok has Meta was also ordered to change the setup of business made a privacy policy for American children, that is accounts for children, so that children’s data was not written in a simpler language. Initiatives like this are made public by default. a good step towards complying with the obligation to inform when it comes to children. • The case reminds us that users may use services in unintended ways. Therefore, controllers should be aware of unexpected usage patterns and should test for them, before releasing new features in a system. • The case is at the time of writing under appeal. Published: 28-07-2022 Journal number: 2/2022 Tags: 01 Legal basis for processing and principles of processing 144

Methods and Scope 09 145

Methods and Scope In this EU Casebook 2023, we have reviewed decisions At ComplyCloud, we have been committed to published by the Data Protection Authorities of the delivering comprehensive and pertinent data Netherlands, Germany, Belgium, and Denmark in the protection resources since the General Data Protection period from May 2018 to May 2023. In compiling the Regulation came into effect in May 2018. We have statistical material, we have categorized decisions consistently published a Danish Casebook each year, based on our judgment of the main themes of the encompassing all decisions taken by the Danish Data cases. Protection Authority. These Casebooks serve as a relevant resource for data protection professionals, For each decision in the Casebook, we present a offering concise and business-relevant legal analyses summary delineating both the case’s background and that help navigate the complexities of the field. the decision taken by the respective data protection Expanding on this commitment, we are now excited authority. In addition, we include our commentary to announce the publication of our EU Casebook, on each decision, offering interpretive insights drawn providing an even broader perspective on data from our legal case analysis. It should be noted that protection across the European Union. while the Casebook does not provide comprehensive coverage of all technicalities of the included cases, The Casebook 2023 specifically highlights the decisions our summaries are deliberately tailored to highlight that lead to the 10 most substantial GDPR fines in the questions we deem particularly significant or each of our three focal countries; the Netherlands, interesting for the reader. Germany, and Belgium, complemented by 10 intriguing, handpicked cases from each of these Our summaries aim to provide an overview to readers countries. Recognizing ComplyCloud’s core expertise, working with GDPR and data protection law on a daily the Casebook also includes a collection of notable basis. Therefore, the Casebook should not be regarded decisions by the Danish Data Protection Authority. To as formal legal literature. Rather, the choice to write provide a broad perspective, the Casebook further the Casebook in a user-friendly, accessible language incorporates 10 compelling cases from data protection is intentional. This approach enables our audience authorities and judiciaries across various other EU to gain a broad understanding of the rules’ practical countries. implications — catering to readers regardless of whether they have a legal background or not. 146

About ComplyCloud ComplyCloud is on a mission to empower businesses to achieve seamless compliance and build unwavering trust with simplified data protection and IT security. We believe in privacy as an important human right, and we fight for a world where data and privacy are treated with fairness and transparency. ComplyCloud was founded in 2017 and has established itself as a trailblazer in the realm of ”IT-solution in legal/compliance. ComplyCloud is a full-service SaaS platform for data protection and IT security compliance that combines legal expertise and software to automate all task management and mandatory documentation. Business Excellence Recognized: Proud Award Winner! ComplyCloud ApS CVR: 35813764 Borgergade 24B, 3.-4. sal 1300 København K Danmark www.complycloud.com 147