A selection of relevant EU developments as regards Data Privacy – October 2019
In this issue:
1. National legislation related to Data Privacy
2. Sanctions for breach of GDPR
3. EU Official Guidelines and Standards
4. EU Jurisprudence
5. Our cherry
Government Decision No. 584/2019 amending and supplementing Government Decision No. 494/2011 on the establishment of the National Cyber Security Incident Response Centre – CERT-RO
Romania Gazette Part I No. 673 as of August 13, 2019. ● Date of entry into force: August 13, 2019 ● Applies from: August 27, 2019
The Decision regulated the establishment of CERT RO – as the competent authority at national level for the security of network and information systems providing essential services or providing digital services within the meaning of Law No. 362/2018.
NBR Regulation No. 2/2019 on preventing and combating money laundering and terrorist financing
Romania Gazette Part I No. 736 as of September 9, 2019. ● Date of entry into force: September 9, 2019 ● Applies from: October 2, 2019
The Regulation changes the rules on client vetting. Inter alia, the following changes are notable:
– Provisions on data minimisation– e.g. for occasional transactions less data may be processed for vetting purposes; the possibility to apply simplified client vetting measures where there is a low risk for money laundering and terrorist financing;
– Credit institutions cannot initiate, continue a business relationship or carry out an occasional transaction if they do not put in place customer awareness measures, including in cases where they cannot establish the legitimacy of purpose and the nature of the business relationship or cannot manage the risk of money laundering and terrorist financing.
SANCTIONS FOR BREACH OF GDPR
When “time is of essence”: ICO – recommendation of timescale for data subjects access requests (SARs)
Following the CJEU ruling in Case C-171/03 Maatschap Toeters and M.C. Verberk Productschap Vee en Vleesof, ICO updated its guidance on data subjects requests.
Highlights: Timescale for a SAR reply
– When establishing the deadline for replying to SARs, the day of receipt of the SAR shall count as “Day 1”. This means that the reply deadline to a SAR received on 29th of August is 29th of September (and NOT 30th of September).
– Same timescale should apply for computing the reply deadline for the other data subjects’ rights regulated under GDPR.
Ready? The Lower Saxony data protection authority (“LfD Niedersachsen”) GDPR implementation checklist
LfD Niedersachsen published a GDPR implementation checklist which may be used to verify current GDPR compliance status.
IAB Tech Lab updates the technical specifications for the IAB Europe Transparency & Consent Framework
IAB Europe, the leading European-level industry association for the digital marketing and advertising ecosystem, in partnership with IAB Tech Lab, announced the launch of the second iteration of the Transparency and Consent Framework (TCF).
The handbook aims at supporting the training of data protection officers (DPOs) for public institutions in their new duties under the GDPR. Though addressed to public institutions, same standards could be considered in case of DPOs from private sectors. The handbook may be accessed here.
– DPO’s expert knowledge refers to:
(a) expertise in the area of EU privacy and data protection law, including expertise in IT and IT Security; and
(b) a good understanding of the way the institution [to which the DPO is appointed] operates and of its personal data processing activities, and an ability to interpret relevant data protection rules in that context.
– Technical knowledge of IT systems implies a good understanding of the IT terminology, [IT] practices and different forms of processing of data. A DPO should be knowledgeable about, for example, data management and exploitation systems, types of software used, files and data storage systems, as well as about the requirements of confidentiality and security policies (data encryption, electronic signatures, biometrics, etc.
Schleswig-Holstein State Commissioner for Data Protection (“ULD”) tips for security breaches prevention – German version available only
ULD published some tips for prevention of security breaches. Inter alia, it refers to the need to use encryption where your website displays forms for collection of customer data.
The Information Commissioner (“IC”) of Isle of Man: Guidance on use of CCTV
IC has published a guideline on CCTV use by controllers.
– CCTV cameras should be sited, and image capture restricted, to ensure that they do not cover areas not of interest or not intended to be monitored (such as individuals’ private property).
– The system must have the necessary technical specification to ensure that images are of the appropriate quality for the envisaged purpose.
– CCTV camera signs/ pictograms should: (i) be clearly visible and readable; (ii) indicate details of the organization operating the system, the purpose(s) for using CCTV, and who to contact about the scheme – where not obvious depending on context ; and (iii) be of an appropriate size.
– Disclosure of images from the video system must also be controlled and consistent with the purpose for which the system was established. However, individuals have the right to request copies of their images.
The Malta Gaming Authority: Commercial Communications Guideline
These Guidelines are aimed to provide practical guidance to any person offering licensable game/s and to persons which collaborate in any way or provide any service including any marketing or promotional service to or on behalf of such persons.
CNIL (French DPA) Statement: Recording of employees’ phone conversations and computer actions
CNIL published a statement on recording of employees’ telephones’ and computers’ actions (available only in French).
– As a rule, screenshots coupled with recording of phone conversations is disproportionate when used for other purposes than training (e.g., staff evaluation, combating internal fraud, etc.)
AEPD (Spanish DPA) Technical Note: Proactive responsibility in mobile apps
AEPD published a technical note outlining GDPR practices for the organizations responsible for the processing on mobile application and the developers of such applications.
– The GDPR information must be available both in the app store and in the application in a language appropriate to the target user;
– The organisations controllers of the data in the applications must stipulate in the data processing agreements the processors’ obligation to ensure good practices and consider privacy by design and by default from the very conception of the applications;
– The following practices should be particularly considered: granularity in management of access permissions to protected system resources; respecting user’s privacy preferences; don’t disseminate data to analytics and advertising services from the moment the applications start, without the user to be able to make any use or adjustments; use advanced methods for communications encryption.
Garante (Italian DPA): Code of conduct on credit risk analysis for private informative systems
– The processing of personal data contained in a SIC can be carried out exclusively for purposes related to the evaluation, recruitment or management of a credit risk, to the assessment of reliability and punctuality in the payments of the interested party – in view of preventing the risk of fraud and identity theft;
– The processing of personal data is necessary for the pursuit of legitimate interests of the participants in the use of the SIC for the purposes referred to in the CoC;
– Negative credit information relating to late payments, subsequently regularized, can be kept in a SIC up to: a) twelve months from the date of registration of data relating to the regularization of delays not exceeding two instalments or months; b) twenty-four months from the date of registration of data relating to the regularization of delays exceeding two instalments or months.
CJEU decided on 24 September 2019 that when receiving a request for de-referencing made by a data subject pursuant to GDPR, the operator of the search engine is not required to carry out the de-referencing on all version of such engine, but only on those version corresponding to all EU Member States.
CJEU issues on 3rd October 2019 a preliminary ruling on the interpretation of Article 15 (1) of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the internal market (‘Directive on electronic commerce’)
– It decided that Directive on electronic commerce, in particular Article 15(1), must be interpreted as meaning that it does not preclude a court of a Member State from:
– Ordering a host provider to remove information which it stores, the content of which is identical to the content of information, which was previously declared to be unlawful, or to block access to that information, irrespective of who requested the storage of that information;
– Ordering a host provider to remove information which it stores, the content of which is equivalent to the content of information which was previously declared to be unlawful, or to block access to that information, provided that the monitoring of and search for the information concerned by such an injunction are limited to information conveying a message the content of which remains essentially unchanged compared with the content which gave rise to the finding of illegality and containing the elements specified in the injunction, and provided that the differences in the wording of that equivalent content, compared with the wording characterising the information which was previously declared to be illegal, are not such as to require the host provider to carry out an independent assessment of that content, and
– Ordering a host provider to remove information covered by the injunction or to block access to that information worldwide within the framework of the relevant international law.
Future job opportunities for candidates
If the candidate is not selected for the next stage of the recruitment process, you might consider the following:
– Inform the candidates clearly and completely before submitting their application on the manner in which their data is to be used for recruiting purposes.
(a) Let the candidates know if you intend to use their application also for other job positions than indicated in the recruitment announcement.
(b) Inform the candidates on their right to oppose without justification to the further use of their application for other available job positions. Be aware that the candidates might express their opposition also indirectly, for instance by specifically saying that they are only interested in the advertised position or by indicating the targeted job position.
– If you intend to use the application for further job opportunities:
a) Inform the candidates about such intention; particularly, indicate the applicable period for such further use and the safeguards you will take in this context (e.g., inactive storage – such as archiving, pseudonymisation/ encryption, limited access, etc.); and
b) Obtain the candidates’ consent for such use.
 Issued by the following data protection authorities: Garante per la Protezione dei Dati Personali (Italy), Agencia de Proteccion de Datos (Spain), Agencija za zastitu osobnih podataka (Croatia), Commission for Personal Data Protection (Bulgaria) and Urząd Ochrony Danych Osobowych (Poland).