GDPR Update – November 2019
As we reach a point around 18 months after the GDPR came into force across EU members states in May 2019, enforcement actions seem to be much more frequent around Europe and involving parties from a range of sectors, both public and private sector. The purpose of this short bulletin is to draw attention to some of the most prominent Data Protection developments around Europe.
Where possible, we also seek to relate the findings to our own client organisations, in terms of how we can help mitigate the risks going forward, using PrivacyEngine as the tool to drive home the lessons learnt.
Germany: In October, the Data Protection Authority of Berlin issued a large 14.5m euro fine on German property company Deutsche Wohnen SE, citing a lack of compliance with Articles 5 (Processing Principles) and 25 (Privacy by Design) as areas of non-compliance. (Source: GDPR Enforcement Tracker)
Deutsche Wohnen SE used an archiving system for the storage of personal data of tenants that did not provide for the possibility of removing data that was no longer required. Personal data of tenants were stored without checking whether storage was permissible or even necessary (therefore not establishing a valid lawful basis for processing the data).
It was therefore possible for staff to access the personal data of affected tenants which had been stored for several years, without this data still serving the purpose of its original collection. This involved data on the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data as well as bank statements.
In addition to sanctioning this structural violation, the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases.
Data Protection and PrivacyEngine Significance:
This case reaffirms the importance of having a system in place that highlights risk and particularly the need for a centralised means of identifying when there is no longer a lawful basis to process certain types of data.
Other systems should track retention expiry time and the DP Lead or Data Champion should upload retention/destruction documents to the My Documents section of PrivacyEngine. When inputting the record of processing activity on PrivacyEngine, the platform will demand a lawful basis for processing is selected, in line with Articles 6 & 9 GDPR and dependant on the category of personal data (normal or special category/sensitive). For example, a simple notification trigger on the DP Lead’s email system could be used as a reminder tool for retention periods that are due to expire.
This Deutsche Wohnen SE case emphasises that it is vital for the organisation’s DP Lead to have simple visibility of the Retention Schedule and Destruction Policies. Storing these in one part of PrivacyEngine will facilitate good habits for these important DP policies and Sytorus are always willing to support in the form of template example documents and advice.
Austria: Also last month, the Austrian Data Protection Authority (DSB) issued a hugely significant 18m euro fine on Austrian Post, citing breaches of Articles 5 and 6 GDPR. (Source: GDPR Enforcement Tracker)
The Austrian Post had created profiles of more than 3 million Austrians – including information about their home addresses, personal preferences, habits and possible party affinity – which were subsequently resold, for example to political parties and companies. (In the case, a civil court judgement about compensation claims at a value of €800 has already been issued).
The almost deceptive and excessive nature of the processing here, coupled with a complete lack of transparency, were undoubtedly aggravating considerations here for the Austrian Data Protection Authority, the DSB, when assessing the level of fine.
Ireland comparison – Public Services Card:
This case has some similarities to the Public Services Card controversy in Ireland recently, where the Irish Data Protection Commissioner (DPC) Helen Dixon has stated that the Department of Employment Affairs and Social Protection “fundamentally misunderstood” the basis on which the cards could be demanded by the Department for the likes of drivers licence applications, passport applications and online health services. The Irish DPC stated that there was no Article 6 GDPR basis for demanded the Public Services Card in order to process such applications/ verify identity.
The DPC also found that there was no lawful basis for retaining the information. With some 3.2 million cards having been issued, like the Austrian Post case this is a prime example of excessive processing with no lawful basis that has run completely against the GDPR Principle 3 principle of minimisation of Data Processing. The processing of vast amounts of personal data, without a lawful purpose to do so and also containing sensitive data, clearly runs contrary to the spirit of the GDPR and upholding of individual privacy standards.
In fact, the Austrian Post decision was aggravated due to the presence of political party profiling in terms of possible voting affinities, which goes firmly into Article 9 (Special Category Data), requiring more robust DP practices and justification for processing.
Similar to the Austrian Post decision, the Public Services Card investigation also found there was insufficient transparency made available to the public on what personal data is processed, and how it is treated. The DPC has ordered that the department improve its privacy statements and make it easier to understand and make the information available to the public. However, the Department is appealing the findings of the DPC, meaning a legal battle is imminent.
These few examples hopefully re-emphasise the vital need for clearly thought out data processing structures at an organisation, regardless of the sector. If you think you may be required to provide transparency information to individuals but are unsure of the extent of this, get in touch to see how PrivacyEngine can help.