Enforcement tables by country Czech Republic
Details of infringement
eMarketing CZ is an advertising agency that focuses on internet marketing and searches, internet presentations and e-shops. The entity violated the law by spreading unsolicited commercial communications (regarded as "spam") for about a year. The entity was not capable to prove the evidence that the recipients agreed to receive this content, nor could the entity prove that the recipients were its customers.
The DPA imposed a fine of CZK 480,000 (approx. 17 500€), which is the highest fine ever imposed by the DPA for spreading unsolicited commercial communications. The decision is in legal force.
The Czech Post (Česká pošta in Czech)
The DPA investigated the unsolicited commercial communications being sent by the Czech Post to official data boxes of businesses. The Czech Post filed objections against this decision arguing that the messages were not spam but a "system report" and were approved by the Ministry of Interior which maintains the data boxes.
No fine has so far been imposed. The DPA handed over the case to the Ministry of Interior which has the competence to set sanctions in this particular case. The maximum possible amount of the fine to be imposed is CZK 10 million (approx. 350 000€).
Details of infringement
April 2, 2014
Nets Danmark A/S
The Danish company Nets (Nordic provider of payments, card and information services) lacked encryption on a website with a contact form that should be used for transmission of identification documents such as passports, driving license, social security card, tax bills etc. which could include sensitive information such as social security numbers.
Criticism from the Danish DPA and requirement of immediate action regarding the lacked encryption.
Details of infringement
07 March 2014
Without a right to do so person A had logged in to Person B's Facebook account and read private messages of B by using a PIN-code to access a mobile device and the Facebook application installed in it. A was convicted of message interception punishable under the Penal Code. The question of how A obtained the user name and password to access the service was of no relevance.
The ruling is interesting since there has been disagreement among supervisory authorities whether regulation on confidentiality of communications applies to social media such as Facebook and to what extent.
According to the ruling of the District Court of Satakunta, A was convicted of message interception to minor day-fines.
Details of infringement
15 and 16 January 2014 (decisions n°2014-001 and n°2014-014)
HYPERCOSMOS operating under the name Commercial Center E. LECLERC
The CNIL carried out an on-site inspection within the company HYPERCOSMOS operating under the name “Commercial Center E. LECLERC”, following a complaint concerning the implementation of a biometric system for monitoring employees working hours by this company. The inspection revealed that the Commercial Center was equipped with a disproportionate CCTV system since (i) it was filming employees’ access to their break rooms as well as putting some of them under constant surveillance; (ii) the biometric system which was originally implemented by the company for access control purposes was also used to monitor the working hours of employees; (iii) the retention period of former employees fingerprints was excessive and (iv) insufficient information notice was provided to employees. Also, the above mentioned system had not been notified to the CNIL, as required under the French Data Protection Act.
The CNIL issued a formal notice requiring the Commercial Center E. LECLERC to comply with their obligations under the French Data Protection Act within a period of two months (decision n° 2014-001). Given the number of violations and the intrusive nature of the implemented systems, the CNIL decision issuing the formal notice was made public (decision n° 2014-014).
29 January 2014 (decision n°2014-040)
ASSOCIATION SOCIETE FRANCAISE DES URBANISTES – ASFU (The French Association of Urban Planners)
The CNIL received a complaint from an urban planner failing to obtain the deletion of her CV from the ASFU’s website. In addition, she complained about the fact that this document was indexed by external search engines and thus allowing the spreading of her personal data. In January and March 2013, the CNIL asked the ASFU to comply with the complainant’s request, but the Association failed to do so and requested the urban planner to withdraw its complaint. The CNIL issued an enforcement notice to ASFU in June 2013 requiring the Association within 15 days to delete personal data of the complainant and ensure that the document was no more indexed in search engines. The CNIL also requested ASFU not to oppose to the action of the CNIL and to perform a filing with the CNIL regarding its website. The ASFU provided a response to the CNIL in July 2013 by arguing that it was not carrying out a processing of personal data and that the request of the compliant was abusive but that it had nevertheless taken the necessary measures to stop the publication of disputed data. In November 2013, the CNIL noted that the CV of the compliant was still available on the ASFU’s website.
The CNIL issued a fine of 1 € and made public its sanction decision.
29 January 2014 (decision n°2014-041)
ASSOCIATION JURICOM & ASSOCIES
The CNIL had received several complaints from legal professionals failing to obtain the deletion of their contact details from the website “www.actes-types.com” operated by the association “Juricom & Associés”. This website allows access to directories of legal professionals such as attorneys, judicial experts, bailiffs. Following an on-site inspection, the CNIL issued an enforcement notice requiring the association to comply with Article 38 of the French Data Protection Act, which provides for the right to object upon legitimate grounds, to a processing of personal data, but the association failed to comply with the enforcement notice.
The CNIL notably highlights that the complainants had demonstrated a legitimate interest to obtain the deletion of their data on the following basis: (i) the publication of their contact details on the website could raise issues with respect to specific rules and restrictions on advertising to which such professionals are subject; (ii) the publication of premium rate phone numbers on the website instead of actual phone numbers of the concerned legal professionals prevented them to be contacted and created a prejudice to their reputation. As a consequence, the association had to comply with complainants requests.
The CNIL imposed a fine of 10,000 € and decided to make its decision public.
28 January 2014
Ruling of the Commercial Court of Paris (1st chamber) Mr. X. / Google Inc., Google France
Mr. X had noticed that his name was automatically assigned by Google Suggest to certain terms related to a previous criminal conviction in the Google search engine. His request for deletion of the link with the disputed terms having been ignored by Google on the grounds that the keywords were generated automatically from the user queries, M. X engaged legal proceedings before the Commercial Court of Paris in order to obtain the effective suppression of the disputed link and its publication. The complainant was claiming for his right to object to the processing of his personal data on the basis of the French Data Protection Act and arguing that Google should be considered as a data controller pursuant to the French Data Protection Act. The Court declared that the French Data Protection Act was applicable to the case and held that Google was acting as a data controller in this case. Therefore, Google had to comply with the complainant’s request for the suppression of the disputed terms which created a prejudice to his reputation.
The Commercial Court of Paris ordered Google to remove within 30 days the link with the disputed terms from the search engine’s suggestion tools under penalty of € 1.000 per infringement. This decision recognizes an additional basis for any individual, on the grounds of the French Data Protection Act, to exercise his right to object to the processing of personal data concerning him by Google.
7 February 2014 (decision N° 374595)
Ruling of the French Conseil d’Etat Google Inc.
12 March 2014 (decision N°354629)
Ruling of the French Conseil d’Etat FONCIA Group
In 2010, the CNIL’s on-site inspection within FONCIA Group, a French company operating in the real estate transaction sector, revealed the existence of thousands of files containing excessive comments on clients and prospects of real estate agencies of the Group in free text areas including insulting comments, information on convictions, religious opinions, or relating to the health status of clients. The CNIL issued a public warning against the Group. FONCIA Group requested the annulment of the CNIL’s sanction by the Conseil d’Etat on the grounds notably that the CNIL’s sanction which was made public was disproportionate and that FONCIA Group could not be considered as the data controller of the data on clients of the various real estate agencies of the Group. The French top administrative court rejected this request and held in particular that: - FONCIA Group qualifies as the data controller in this case, since it provides to the entities of its group the means of the processing, decides of the nature of data to be collected, determines who is authorized to access to this data and the retention time period of data. Also, the appointment of data protection officers by the entities is not sufficient as such to consider that these entities are acting as data controllers, as this was alleged by FONCIA Group. - The CNIL’s sanction is not disproportionate, in view of the seriousness of infringements to the French Data Protection Act resulting from non-compliance with article 8 of the Data Protection Act which prohibits the processing of sensitive data and article 6 of the same Act which requires that only accurate, relevant and non-excessive data must be processed.
12 March 2014 (decision N° 353193)
Ruling of the French Conseil d’Etat PAGES JAUNES GROUPE
Since 2010 the website “PagesBlanches.fr” was developing its telephone directories by automatically extracting personal data from the social network accounts of millions of users. On 21 September 2011, the CNIL issued against PAGES JAUNES GROUP a public warning for violation of the French Data Protection Act, in particular, unfair collection of personal data, violation of the obligation to keep the collected data up to date, violation of data subjects’ privacy rights, violation of the principles relating to data quality. Following the CNIL’s decision, PAGES JAUNES GROUP requested the annulment of the CNIL’s sanction by the Conseil d’Etat. The Conseil d’Etat rejected the PAGES JAUNES GROUP request and confirmed the CNIL’s reasoning and sanction.
Details of infringement
Brücke Rendsburg-Eckenförde e.V. (Registered aid organization for mentally ill people)
RebuS GmbH (affiliated service provider)
3.600 documents containing sensitive personal data of patients was publicly available on the internet. The personal data was for internal use only but not protected against unauthorized use. Responsibilities were not clearly defined and both entities could not establish whether the service had ever been protected against unauthorized use since 2002.
Hamburg DPA imposed the following fines:
- 70 000€ for Brücke Rendsburg-Eckenförde e.V.
- 30 000€ for RebuS GmbH
Not made public
In the course of an M&A transaction of a newspaper, which was originally distributed by subscription but post-acquisition only to be distributed in stores, seller nonetheless transferred the subscriber’s personal data including payment information to buyer who wanted to use the personal data to distribute a different newspaper.
Berlin DPA imposed a fine of 10 000 €
Details of infringement
Weltimmo S. R. O.
(Note: The Hungarian DPA ("Authority") has already decided on this matter imposing a fine of HUF 10,000,000 (approx. EUR 32,790), however, due to the appeal of the infringing entity, the competent court decided on the case and ordered the Authority to examine and decide on the matter again.)
Weltimmo is established in Slovakia. It was operating two websites: ingatlanbazar.com and ingatlandepo.com offering Hungarian real estate advertisements to Hungarian users. Advertisers could submit their ads after registration. The service was described as free-of-charge, however, data subjects were not informed that after the expiry of a 30-day trial period certain fee will have to be paid.
The data subjects claimed that they were not unambiguously and clearly informed that after the expiry of the 30-day trial period fee will have to be paid. Data subjects received payment notices from Weltimmo requesting them to pay the amount accrued after the trial period. When data subjects requested the deletion of their personal data, the fulfilment of the request was subjected to the payment of existing debts. Moreover, data subjects claimed they could not contact the company.
It was established that the jurisdiction of the Authority is based on the Privacy Act and that real estate advertisements qualify as personal data. The Authority found that Weltimmo unlawfully processed personal data, since after the request of data subjects to delete their personal data Weltimmo refused to delete personal data and kept on processing these data without any legal basis and purpose thereto. It was also established that the letter rejecting the deletion of personal data did not contain information on rights to legal remedy. Right to access was also breached since data subjects were not able to contact Weltimmo via phone, e-mail, only after logging into the internal mailing system.
The Authority imposed a fine of HUF 8,500,000 (approx. 27,900€), ordered the infringing entity to delete the real estate advertisements made publicly available at the relevant websites and which are still available, and the deletion of which the data subjects concerned had requested.
A public music school (Conservatoire)
Charts containing numerous personal data relating to hundreds of students were made available on three file-sharing web sites by an employee of the relevant school in order to secure a backup without the aim of causing any harm.
According to the Authority, the conservatoire did not have lawful legal basis to make the data in question publicly available, moreover, it breached the obligation of data security.
The Authority imposed a fine of HUF 100 000 (approx. 330€).
Not made public
The infringing entity conducts claims management (factoring) activity. Several claims were submitted claiming that data relating debtors were collected via telephone calls from third parties.
It was established by the Authority that the requirement of providing adequate information was not met since the documents sent to data subjects requesting them to provide the infringing entity with their personal data did not contain any information about the data processing (e.g. legal basis of data processing, purpose thereof) and group of data requested exceeded the limit what is necessary for the purpose of data processing. Furthermore it was established that the infringing entity's data processing activity was unfair as it collected information (often sensitive, social, income and wealth related data) via phone calls also from third parties among others the debtor's siblings, neighbours. Additionally, the infringing entity processed personal data of third parties (those who were not parties to the contract on claims management). Furthermore, the Authority established that although the infringing entity had a registered data processing activity, the range of data actually collected exceeded the range of data registered.
The Authority imposed a fine of HUF 2 000 000 (approx. 6 500€), prohibited the unlawful data processing. It also ordered the infringing entity to delete the personal data of third parties whose data were processed without any legal basis, and personal data of debtors the processing of which is not necessary to enforce claims. Moreover, the Authority instructed the infringing entity to ensure that data subjects receive proper prior information about the processing of their data, to modify its data processing activity in order to comply with the Privacy Act. The Authority also ordered the entity to register all data collected.
Not made public
The infringing entity (an employer) was operating surveillance cameras at its site including in recreational facilities as the canteen. Cameras were directed at the entrance of the recreational facilities. Cameras were recording 24 hours a day. Recordings were deleted after 14-21 days.
The Authority established that the abovementioned practice of the infringing entity is not in line with the provisions of the Privacy Act and the data protection provisions of the Hungarian Labour Code, since recreational facilities were observed by the cameras which is an infringement of employees' human dignity. The infringing entity also breached the requirement relating to the term of data storage which should be 3 working days according to the Authority. Moreover, employees were not informed properly about the continuous surveillance.
Impulser - Trade Limited Liability Company
Impulser-Trade Commercial Limited Liability Company organised so called "Health Day" events, where health related risk-analyses, heart and vascular examination were offered to participants. However, the actual aim of the company was to market expansive massage beds. In order to recruit participants for the event, telephone calls were made and invitation letters were sent out to those who were interested. In addition, those who were interested in the event could register on various websites by completing a registration form.
Data subjects claimed that the infringing entity collected their phone numbers without any consent thereto and they were not deleted after the request of data subjects.
The Authority concluded that the infringing entity infringed the obligation to provide adequate and detailed information about the exact purpose of the data processing and it misled data subjects about the actual marketing aim of the event. By this practice, the data controller not only infringed the obligation of specifying the purpose of data processing but it also breached the requirement of fair data processing. The data controller also breached the obligation to provide data subjects with adequate and detailed information about its data processing. Furthermore, the infringing entity infringed the data subjects right to access by not providing them with the information requested, and their right to deletion by not deleting the personal data requested.
The Authority imposed a fine of HUF 9 000 000 (approx. 29 500€).
The Authority prohibited the unlawful data processing and ordered the infringing entity to modify its existing practice in order to comply with the provisions of the Privacy Act.
* Note that the Hungarian DPA usually does not publish the name of the infringing entity.
Details of infringement
21 February 2014
(I OSK 2445/12)
GIODO issued a decision against Google obliging it to appoint an information security controller, the Polish equivalent of a data protection officer (the "DPO").
According to the Polish Data Protection Law (the "PDPL"), the data controller is obliged to appoint the DPO unless he is exercising the DPO's duties on his own.
Google argued that this provision distinguishes two situations: (i) where the DPO is in fact appointed and (ii) where one is not appointed but his/her duties are exercised within the organisation's structure. As a result, the company may choose not to appoint the DPO.
GIODO disagreed with the above argumentation. GIODO said that the DPO may not be appointed only where the controller is a natural person or a sole trader operating a business.
Notably, where the data controller's structure consists of several physical persons, one of them needs to be appointed as the DPO.
Moreover, street view registration cannot be interpreted as personal data files prepared ad hoc in the meaning of the PDPL.. Thus, such data filing system needs to be notified to GIODO.
The company filed a complaint against GIODO’s decision to the Regional Administrative Court and then to the Supreme Administrative Court.
Both courts upheld the decision repeating GIODO’s argumentation.
21 February 2014
(I OSK 2463/12)
Company offering debts for sale on the internet
The complainant (sole trader) wanted its data to be removed from a website offering debts for sale. GIODO considered that the infringement did not occur, since the sole trader's privacy rights are limited due to the fact that it is a debtor, and therefore, must accept the creditor's steps undertaken to collect the debt. The creditor is entitled to use the debtor's data to ensure the debt is paid off (as long as the information disclosed by the creditor is limited to the data necessary to describe the debt). Privacy rights do not have an absolute character since they may be limited due to public interest or a justified interest of a third party.
In addition, the complainant contested the validity of the transfer of the debt, arguing that the company which published its data online was not allowed to do so. GIODO indicated that it is not competent to decide on this particular aspect since it is for the civil law courts to determine whether the debt transfer was lawful. GIODO considered that transfer of the debtor's data is an inseparable element of the transfer of debt and it is lawful based on the legitimate interest provision.
The company filed a complaint against GIODO’s decisions to the Regional Administrative Court.
The Court upheld the decision, agreeing with GIODO’s argumentation. The company filed a complaint with the Supreme Administrative Court, which considered the complaint groundless.
The DPA's (GIODO's) decisions
6 March 2014
Public Transport Authority of Warsaw (ZTM)
GIODO considered that ZTM infringed the PDPA by collecting information about the place of tax settlement of the Warsaw citizens for the purposes of issuing discount cards for public transportation without any legal basis (either as data controller or as data processor).
Notwithstanding the administrative proceedings, GIODO filed a motion with the district prosecutor's office in Warsaw-Wola to commence criminal proceedings against the Director of the Public Transport Authority of Warsaw (ZTM) for unlawful collection of data.
The public prosecutor's office decided on 21 March 2014 that the reported activity does not amount to criminal activity. According to press information, GIODO filed a complaint with the regional prosecutor's office. The proceedings are on-going.
27 March 2013
GIODO considered as unlawful the fact that a bank was collecting information concerning criminal records of employees of a third party entity cooperating with this bank. Moreover, GIODO argued that the data filing system used by the bank was not complying with the requirements set by the PDPL. The bank did not notify the data filing system to GIODO.
The provisions of the Banking Law do not oblige a bank to collect information confirming any particular features of the employees of the entities cooperating with a bank. Therefore, there are no legal grounds for the bank to collect information on criminal records of employees of a cooperating entity. The bank is not entitled to collect criminal records based on legitimate interest.
GIODO obliged the bank to cease the infringing activity by bringing to a halt collecting data from criminal records, removing the data already collected, notifying the data filing system to GIODO (of other data of employees of a third party entity cooperating with this bank), and removing the non-compliant elements of the data filing system.
27 March 2012
Municipality of D.
The complainant accused the Municipality of D. of not conforming to the information obligations regarding the data collected via the monitoring system used in the city hall. The monitoring system in question was set only for preventive purposes and did not allow to recognise the person that was filmed (only a silhouette was visible on the recording, and one could not tell who the person was).
According to GIODO the monitoring system is not subject to data protections regulation requirements.GIODO concluded that since the monitoring system was not actually collecting personal data, the Municipality was not obliged to provide the requested information to the complainant.
GIODO issued a decision in October 2012 (DOLiS/DEC-1035/12/64210, 64222) rejecting the complaint. Subsequently the complainant filed a motion for reconsidering the case. GIODO confirmed its previous position.
Details of infringement
July 2013 – March 2014
Natural and legal persons
Non-compliance with the Slovak Data Protection laws.
An average amount of fine that was imposed by the Slovak DPA during this period was in the amount of 267€.
Failure to provide necessary cooperation to the Slovak DPA.
500€ (this is also the highest amount of fine that was imposed by the Slovak DPA during this period.
Details of infringement
January 14th, 2014.
Navas Joyeros Importadores S.L. ("Navas")
Privilegia Luxury Experience, S.L. ("Privilegia")
This AEPD first resolution on Cookies did not only sanction the offender for a Minor offence, it also provided the interpretation of the two main obligations regarding Cookies imposed by the law, i.e. (i) the duty to inform and (ii) to obtain the user's consent.
The grounds for the sanctions were as follows:
As regards the violation of the Right of information in the collection of data (Art. 5 of the Spanish Data Protection Act, "LOPD"):
Information must be clear in order to guarantee users' right to be informed. Information must be provided in an express, precise and unequivocal manner prior to the collection of data. The SPDA considered that use of a "legal warning" link, which was not only not easily accessible at all times from the website, but provided insufficient information regarding the processing of the data, hence the legal requirements of art. 5 LOPD were not fulfilled.
Concerning the violation of the Rights of service recipients (Art. 22.2 of the Spanish Telecommunications Act, "LSSI"), the SDPA points out that basis of the infraction were the following:
Most users do not know what cookies are, hence the provider needs to inform of the nature of said tool in order to ensure they obtain the user's informed consent.
As regards the violation of Art. 5 LOPD, the SPDA imposed Navas a 1 500 € fine.
Concerning the violation of Art. 22.2 LSSI, Navas was fined 3 000€ and Privilegia was sanctioned with a 500€ fine.
Please note that the AEPD has also issued Guidelines on Cookies.
In order to guarantee that cookies are used respecting users' privacy, users must perform a positive action in order to express their consent. Moreover, providers must provide sufficient information and obtain users' informed consent. Users' undoubted knowledge of the types, purpose and providers of said cookies is essential when obtaining their consent, hence if providers do not clearly explain specifically what cookies they are using and to what purpose, consent would not be sufficiently informed. In this case, the sanctioned parties did not explain: (i) what cookies are, (ii) they did not specify which cookies they used and to what purpose, (iii) they did not explain if they were their own or third party cookies, they did not explain how to install/reject cookies with each browser and (v) they installed cookies without obtaining users' informed consent – through a positive action by a user and providing the sufficient aforementioned information-.
Details of infringement
23 January 2014
(The Church of Sweden)
The Church kept a register which included personal data of children who were not members of the Church, but whose guardians were members of the Church. The Church processed the data in order to be able to inter alia offer the guardians to baptize their children or to invite the children to the confirmation or any other activities in the Church. The data which were kept in the register had been documented on the date of birth of a child or when the custody relationship between a child and the guardians had been acknowledged. The data were not removed from the register until;
the child turned eighteen (18), unless the guardians requested it; the child had reached the age of twelve (12) and requested it him/herself; or if the guardians left the Church.
The Data Inspection Board (the "DIB") investigated whether the Church’s processing was permitted and whether the Church eliminated the data from the register in accordance with the Personal Data Act (the "PDA").
The DIB found that the Church processed personal data in breach of the Swedish PDA: by preserving personal data of children which were not members of the Church but whose guardian(s) were members of the Church, for a longer period than necessary by taking into account the purposes of the processing of the data.
The DIB assumed that the Church’s Board would take measures to correct the non-compliance.
23 January 2014
(County Council Gävleborg)
(the "County Council")
The County Council aims to be an alcohol and drug free workplace and has a zero tolerance policy on drugs and alcohol. The County Council stated that the policy is important both for the safety of the patients and for the work environment.
The County Council had formally decided to introduce random alcohol testing of their employees. The testing would include all categories of employees and the ambition was to test 25 percent of the workforce every year. The purpose for the processing through the alcohol tests were partly to fulfil the County Council’s obligations under the work environment legislation as regards rehabilitation of their employees and partly to achieve as high safety for their patients as possible by preventing the employees to work when they are intoxicated. The tests would be conducted by the occupational health services (Swe: Företagshälsovården), who then would report the test results to the County Council.
The DIB decided to conduct an inspection of the County Council’s processing of personal data that they conducted due to their random alcohol testing of their employees, but since the County Council had not yet conducted any tests, no personal data were processed for that purpose. Since there were no processing of personal data to consider in the supervisory matter, the DIB decided to only leave general comments on the processing of personal data which could occur if the random alcohol tests would be conducted.
The DIB stated that whether or not the alcohol tests themselves are permissible is an employment law question and are therefore not covered by the DIB's powers as a supervisory authority under the PDA. However, the DIB examined the intended transfer of data from the occupational health service to the County Council and the County Council's further handling of the data. During the supervision the DIB consulted with the Swedish Work Environment Authority (the "SWEA").
According to the SWEA, the work environment legislation contains no obligation for an employer to in a precautionary manner conduct alcohol tests.
The DIB stated that it is not acceptable to justify processing of sensitive personal data, e.g. data concerning health (as results from an alcohol test may be an indication of alcohol abuse) with such general stated purposes as the employer's rehabilitation responsibility or to achieve safety for their patients. With regard to the latest purpose, the DIB stated that there are specific laws that regulate medical inspection of certain professions (mainly with regard to public safety) and that it was unclear whether the County Council had any employees covered by such laws. However, it was clear that those regulations do not provide support for random alcohol testing of all categories of employees in the County Council. The DIB further stated that it was not permissible for the County Council to collect test-data from the occupational health service just because such data might be necessary to rehabilitate the employees at a later stage.
30 January 2014
Polismyndigheten i Uppsala län
(The police authority in Uppsala county)
The DIB investigated processing of personal data by the Police. Under DIB’s investigation, several deficiencies were identified, including the following:
the Police had appointed a data protection officer in accordance with the Police Data Act. Such officer is obliged to maintain a register of all personal data processing that is conducted by the Police. The existing register had not been updated after the implementation of the new Police Data Act, since it stated that processing was conducted in systems which had been discontinued and new systems which were in use had not been registered; the Police had no specific routines or instructions for the use of mobile storage media and mobile IT equipment; the Police had no routine to ensure that a confidentiality marking in the national registration register were noticed and transferred into the Police’s systems; no routines had been set up to make sure that personal data were eliminated from two of the registers and nor had any data been eliminated from the two registers since the records were created; the Police processed personal data in one of the registers under purposes which had no legal grounds; the Police internally published notices in order to give feedback to the staff which contained personal data of convicted persons and detained persons; and the Police processed personal data of persons in preliminary investigations which were not suspected of any serious criminal activity, but who had a relevant connection to someone who was a suspect for such crime e.g. a relative, acquaintance or employer without informing those persons of the processing. Furthermore, a preliminary investigation from 2010 contained data which had not yet been processed or analysed, neither had any new data been added to the investigation since the first data was registered.
The DIB ordered the Police to take several measures, including:
provide the data protection officer with the data needed to enable the officer to maintain an updated register of personal data processing conducted by the Police; develop written routines on security measures in reference to the processing of personal data on mobile devices; introduce routines to ensure that added indication of secrecy in the national registration register will be noticed in the systems used by the Police and registered in the systems at the latest in conjunction with the final report in the matter; introduce procedures to ensure that personal data is not kept for a longer period than permitted under the Police Data Act and to eliminate information from the registers; cease the processing of personal data in one of the registers which was conducted without legal ground; review routines for the internally published notices; and construct the processing in a way which ensures that persons not suspected of a serious crime whose personal data is processed gets information about the processing and to cease the processing of personal data in the investigations which had not been updated for a long time in accordance with the Police Data Act.
The DIB also stated that the Police shall submit a description of the measures that the Police has taken in order to fulfil the above stated measures to the DIB within a specified time period.
7 February 2014
Wihlborgs Fastigheter AB
The Company is acting on the commercial real estate market in Sweden.
The Company used a positioning system in vehicles provided to employees. The system was used to create electronic driver log books and the purposes for the processing were:
to facilitate the compliance with The Swedish Tax Authority’s requirements for reporting the amount of miles the employees have been driving in the job; to meet the Company’s interest of driver log books and documentation of the driving of the Company’s vehicles so as to evaluate every vehicles need for service for instance; to safeguard the security of the staff, to produce statistics and to be able to provide a basis for distribution and billing of property hosts’ work in each building; and to be able to carry out inspections where serious abuse of the employer's trust were suspected, i.e. when it is suspected that the employee uses the vehicle in contravention of the Company's rules regarding the use of the Company's vehicles.
The Company had, in writing and orally, informed the employees about the use of the positioning system in their vehicles. Furthermore, all the processed data were kept for seven (7) years, which the Company motivated with references to the requirements set out in the Accounting Act (1999:1078).
The DIB ordered the Company to:
arrange the processing so that the Company only processed personal data which is adequate, relevant and necessary having regard to the purposes of the processing; to complement the information given to the employees with detailed and clear information about the purpose of the processing in the positioning system, the categories of data processed and the inspections that might be conducted in relation to the processing. The information should further be complemented with information regarding which rights the data subject has regarding processing; review its routines for elimination of personal data so that the personal data in the system is not kept for a longer period than necessary having regard to each and every one of the purposes separately for which personal data is processed in the system; and if personal data is required for the fulfilment of requirements in other applicable statutes and therefore needs to be kept for a longer period of time than otherwise justified under the PDA, the Company shall restrict the access to the data so that the data only may be used for the fulfilment of such requirements.
Details of infringement
5 September 2012
Federal service in charge of security controls concerning individuals
In a decision issued by the Federal service in charge of the security control relating to person, A. has been considered as presenting a risk for the national security and urged to inform his superior every six months in detail and in writing about his personal financial situation and to hand him an extract of the insolvency register.
The Federal Administrative Court (ATAF 2012/25) overturned this decision on the ground that the obligation imposed to A. intrudes his privacy and may only be issued if it is based on the law, serves the public interest and is proportionated. In this case, the law does not provide a sufficient legal basis to impose such obligation.
The Federal Administrative Court overturned the Federal service’s decision.
15 August 2013
A private hospital infrastructure
A private hospital divided in several clinics located in four different places and organised as a limited liability company, has adopted a new internal data management system, which includes personal and medical data. The data was made available to the personnel of the different clinics according to system of right of access set based on the user’s position (physician, nurse,…). The Data Commissioner of the Canton of Berne opposed to the hospital’s new data management system.
For the cantonal court of the Canton of Berne (decision of 15.08.2013 Nr. 100.2012.330U), access to data within the whole hospital is not considered as a disclosure to a third person. Access to the data is necessary for the completion of hospital tasks and does not need to be restricted to certain part or services of the hospital. Effective restrictions should only be adopted regarding data of sensitive persons (public persons, family of the personnel, …). It is not necessary to report a logfile of the data processed, insofar as the processing occurs within the completion of hospital tasks.
The cantonal court of the Canton of Berne partly overturned the decision of the Data Commissioner of the Canton of Berne.
Details of infringement
08 January 2014
Northern Health and Social Care Trust
The ICO conducted a follow-up review of the Trust's actions following its undertaking signed in 07 August 2013.
The ICO concluded that the Trust had taken steps to mitigate the risks, but that some further steps are required.
Further steps required:
Local departmental procedures for the storage/ use of personal data. Review/ update corporate induction materials. Review physical security measures where sensitive and/or personal information is stored.
Finalise policy regarding physical security.
24 January 2014
ICU Investigations Limited
The men behind private investigation company "ICU Investigations Ltd" were found guilty of conspiring to unlawfully obtain or access personal data under section 55.
ICU Investigations Ltd worked on behalf of clients such as Allianz Insurance PLC, Brighton & Hove Council and Leeds Building Society, to trace individuals, primarily for the purpose of debt recovery. The court found that the company had tricked organisations such as utilities companies and TV licensing into revealing personal data. The ICO investigation found approximately 2,000 separate offences between 2009 and 2010.
Five employees had previously pleaded guilty to the charges and the company was also found guilty as a separate defendant. The ICO found no evidence of criminality by any of ICU Investigations Ltd's clients, who were found to be unaware of the fact that the data had been obtained by illegal means.
Prosecution under section 55.
One of the men running ICU Investigations, Adrian Stanton, was fined a total of £7,500 and £6,107 prosecution costs.
Five employees of the company who had previously pleaded guilty to the same offence were also sentenced at Isleworth Crown Court, with fines ranging from £1,000 to £4,000 not including prosecution costs.
The ICO awaits the sentencing of another individual in charge of running ICU Investigations, Barry Spencer, and ICU Investigations itself, which will be sentenced as a separate defendant.
This will take place at a confiscation hearing on 04 April 2014.
26 February 2014
Treasury Solicitor's Department
An undertaking to comply with the seventh data protection principle has been signed by the Treasury Solicitor’s Department following several separate breaches of the Act. These breaches took place in relation to case files sent to a claimant's solicitor and to the claimant with un-redacted third party personal data contained within.
The ICO has agreed not to exercise its powers to serve an Enforcement Notice following consideration of the remedial action which has been taken.
Undertaking to comply with the seventh data protection principle (Part 1 Schedule 1 of the Act)
The Treasury Solicitor’s Department must ensure implementation of the following (within 6 months):
A clear and documented procedure for staff to follow when preparing information for disclosure; Structured communication channels between Junior and Senior lawyers carrying out the disclosure process; and
A mandatory and comprehensive training programme for all new and existing staff.
7 March 2014
British Pregnancy Advisory Service
The ICO has issued the British Pregnancy Advisory Service ("BPAS") with a fine for £200,000 after a malicious hacker gained access to the personal data stored within BPAS' website and threatened to publish it. This investigation indicates that is it not just public bodies who may be the focus of ICO investigations and the recipients of large fines.
The ICO's investigation revealed that BPAS did not understand exactly what information it was holding on its website and ensuring effective security measures to protect that data. Despite BPAS taking extensive steps to prevent any detriment to the individuals whose data was compromised, ICO imposed a large fine.
Monetary Penalty of £200,000.
Further steps required to ensure:
Implementation of a rigorous policy governing software and website development work; and
Regular audits of website development work in relation to how personal data is managed.
10 March 2014
The ICO has served enforcement notices on Isisbyte Limited ("IL") and SLM Connect Limited (see below) after the companies were found to be making unsolicited marketing calls without providing information as to their identity. This was a breach of the Privacy and Electronic Communications Regulations 2003 (Regulation 24).
The ICO required that Isisbyte cease or provide the relevant information required by Regulation 24.
Enforcement notice under section 40 of the Act.
IL shall (within 35 days of the Enforcement Notice):
Cease direct marketing using public communications service unless the following information is provided with the communication; name, address or a telephone number on which IL can be reached free of charge.
10 March 2014
SLM Connect Limited
Enforcement notice under section 40 of the Act.
11 March 2014
Becoming Green (UK) Ltd
A Cardiff-based green energy deal company, Becoming Green (UK) Ltd, has been prosecuted after failing to notify the ICO that it handled customers’ personal data. Notification is a legal requirement under section 17 of the Act. Becoming Green (UK) Ltd was also convicted for allowing the company to unlawfully process personal data without notifying the ICO in contravention of section 61 of the Act.
Prosecution under section 17 and section 61 of the Act.
Company Director to pay fine of £270 and ordered to pay a victim surcharge of £27 and £300 prosecution costs. Becoming Green (UK) Ltd was also to pay the same fines.
12 March 2014
A plumbing company and its director have been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act (as above). Boilershield Limited and its director, Mohammod Ali, pleaded guilty at a hearing on 12 March 2014 at Bromley Magistrates.
Prosecution under section 17 of the Act.
Company and Company Director to pay fines of £1,200 and to pay costs of £196.87 and a victim surcharge of £120.
13 March 2014
An undertaking to comply with the seventh data protection principle has been signed by Neath Care. This follows the disclosure of ten client care service delivery plans which were found by a member of the public in the street. The care service delivery plans related to elderly people and contained confidential client information on matters such as personal care, medication and key safe numbers.
ICO investigations revealed it likely that measures in place at the time of the incident were not compliant with the seventh data protection principle.
Undertaking to comply with the seventh data protection principle (Part 1 Schedule 1 of the Act)
Further steps required to ensure implementation of the following (within 6 months):
A detailed policy covering safe handling of personal data;
Procedure to ensure that all sensitive personal data taken out of the office is monitored, logged and returned to the office; and
Mandatory staff training.
14 March 2014
Cardiff City Council
A follow up has been completed to provide an assurance that Cardiff City Council ("CCC") has appropriately addressed the actions agreed in its August 2013 undertaking. This undertaking was in relation to a failure to respond within 40 days to a subject access request (SAR).
The ICO concluded that the CCC had taken steps to mitigate the risks, but that some further steps were required.
Further action to be taken:
CCC to ensure that the new EDRM system roll out addresses the undertaking stipulation that improvements are made to the systems and measures governing the storage of paper records to ensure that subject access requests are responded to in an appropriate and timely manner
17 March 2014
Kent Police ("KP") fined £100,000 after highly sensitive and confidential information, including copies of police interview tapes, were left in a basement at the former site of a police station. The ICO considered that the actions of the KP met the criteria for the imposition of a monetary penalty given the confidential and highly sensitive nature of the information and the risk of substantial damage or distress.
Monetary penalty notice under section 55A of the Act.
Monetary penalty must be paid by KP to the Commissioner's office by April 2014.
20 March 2014
Disclosure and Barring Service.
An undertaking to comply with the first data protection principle has been signed by the Disclosure and Barring Service ("DBS") in relation to an application form question used by DBS which resulted in conviction/caution information being unfairly disclosed to prospective employers. The phrasing of the question meant that minor caution/conviction information that would have been filtered out by law had to be disclosed to prospective employers when completing the form.
Undertaking to comply with the first data protection principle.
Steps to be implemented:
DBS to amend the offending question by 31 March 2014;
By 31 July 2014, DBS to provide information to applicants within the application form on the matters that will be filtered and so can be withheld in any response; and
DBS to keep the supporting information provided to applicants under review.
European data protection news Czech Republic
Opinion of the Czech Data Protection Authority on processing of personal data necessary to obtaining resources from the European funds
The Act on the Protection of Personal Data requires that each processing of personal data for a particular purpose must be notified by the controller to the Czech Data Protection Authority. However, the Act also mentions certain exemptions from this requirement. The notification obligation does not apply to the controller who has to process personal data because he is obliged to process data upon a special act or in order to exercise certain rights and obligations resulting from a special act.
As far as obtaining resources from the European funds is concerned, processing of personal data is required by the Regulations (EU) No. 1303/2013 and No. 1304/2013. The Regulations set out the specific purposes for which personal data can be processed, as well as the extent of the processing itself.
European Regulations are applied in all member states directly, which means that their effect is direct and enable individuals to immediately invoke its provisions before a national court. As the processing of data for obtaining resources from European funds is imposed directly by the Regulations, the DPA therefore draws the conclusion that if personal data is processed in accordance with the above mentioned Regulations, the exemption to notification obligation applies and no notification to the DPA is required.
Proposed guidelines of the Polish Ministry of Internal Affairs on the Video Surveillance Act of 18 December 2013
Izabela Kowalczuk, Associate / Marcin Alberski, Paralegal
In Poland, even though video surveillance is commonly used there are no comprehensive legal regulations in this respect (except those concerning particular sectors, such as CCTVs at gambling establishments or mass events, policing and secret services authorised to record video and audio materials in certain situations). The general rules of the Polish Data Protection Act (the "PDPA") and the right to privacy apply when data related to video surveillance may allow for identification of individuals.
This may change soon as the Polish Ministry of Internal Affairs has proposed Guidelines legislation on the Video Surveillance Act of 18 December 2013 (the “Guidelines”). The purpose of the Guidelines is to regulate common use of video surveillance systems and their increasing technical capabilities. The public consultations on the Guidelines have now ended.
The intention of the Guidelines is to regulate video surveillance operations conducted in (i) open public spaces or (ii) closed space assigned for public use.
According to the Guidelines, the right to prevent public use of an individual’s facial image or silhouette enabling recognition would be protected. This would also apply to vehicles enabling the owner’s or the user’s identification.
The Guidelines' scope will not cover (i) systems that gather optical data which do not enable identification of people, e.g. systems counting persons entering a given space or analysing typical behaviours, and (ii) use of video surveillance by individuals in private spaces.
Certain but not yet specified restrictions would apply if the images of persons are compared with identifiable data. Under the Guidelines, Video surveillance could not be (i) connected with a technology enabling transmission of video and/or registration of sounds and conversations, (ii) performed at places that would infringe the dignity of a human being, unless specific provisions states otherwise.
Video surveillance in open public spaces:
Video surveillance in open public spaces will be conducted, as it seems, primarily by public entities in order to guarantee safety, public order and provide security of people and property.
In the case of open public spaces (streets, squares), the local community would participate in the decision making process regarding the establishment and development of video surveillance systems. At least once a year the video surveillance system would be assessed based on the number of incidents revealed in order to provide more efficient use.
An information board consisting of a pictogram and the system controller’s information and contact details would mark the location of each camera in open public space. It seems however that in case of collecting personal data also the information obligation set forth in the PDPA would still apply.
Video surveillance in closed space assigned for public use
Video surveillance in closed space assigned for public use would be operated by
private entities in order to provide security of people , property and public entities in order to guarantee safety and public order and provide security of people and property.
This would also apply to e.g. public transport facilities.
As the Guidelines applies to closed space assigned for public use, it is not clear from this definition that it will cover video surveillance in private close spaces (e.g. work places, schools), although the Guidelines seems to suggest it.
The Do Not Call ("DNC") provisions of Singapore's Personal Data Protection Act 2012 ("PDPA") came into effect on 2 January 2014, while the remainder of the PDPA will come into effect on 2 July 2014. Accordingly, at present there are cases of DNC infringement but no cases of infringement of the PDPA's data protection obligations. The Personal Data Protection Commission ("PDPC") has begun investigating and commencing enforcement action against organisations for breaching the DNC regime under the PDPA. As of 14 February 2014, 1500 valid complaints about 580 organisations have been investigated. The organisations are from a variety of sectors, including private education, property, banking & finance, retail, insurance and telecommunications. The PDPC has issued more than 100 notices of warning in lieu of prosecution, and is offering to allow some organisations composition of their offences for between $500 and $1000. The PDPC has not released the identities of the infringing organisations or the details of their infringements.
Easing of the Slovak data protection regulation from 15 April 2014
Tomáš Blažej, Associate, Bird & Bird Bratislava
On 3 April 2014, the Slovak Parliament approved the amendment of the Act no. 122/2013 Coll. on Protection of Personal Data and on Amendment of Further Acts. It is the first amendment of the new Act on Protection of Personal Data which became effective only on 1 July 2013.
The amendment is effective as of 15 April 2014 and it introduces, in particular, the following changes in the area of personal data protection.
Data Protection Officer
Authorisation of the Data Protection Officer (the "DPO") who supervises compliance with statutory provisions in processing of personal data is as of 15 April 2014 voluntary and the controllers that authorise a DPO will gain the advantage of not having to notify the Office for Protection of Personal Data of the Slovak Republic (the "DPA") of filing systems that will be subject to notification obligation.
Pursuant to the wording of the Act on Protection of Personal Data valid until 14 April 2014, the controllers of the filing system were obliged to appoint a DPO in cases where they processed personal data via 20 and more authorised persons.
It is now also possible to authorise a statutory body of the controller to perform the function of the DPO, which was explicitly forbidden by the wording of the Act on Protection of Personal Data effective until 14 April 2014. It should also be pointed out that other requirements on the DPO, including passing an examination before the DPA, were not changed by the amendment.
Obligation to notify filing systems
The obligation to notify a filing system with the DPA substituted the obligation to register a filing system with the DPA.
The notification obligation does not concern the filing systems that are subject to supervision of a DPO. However, the amendment also states that filing systems, in which are processed personal data that are necessary for protection of rights and interests protected law of the controller or the third party, in particular personal data processed for the purposes of protection of property, financial and other interests of the controller and personal data processed for the purpose of ensuring security of the controller via cameras and similar systems, have to notified to the Slovak DPA always and notwithstanding the appointment of the DPO. A template of the notification is published on the website of the DPA.
Pursuant to the transitional provisions, the registrations of the filing systems carried out until 14 April 2014 are considered as notifications of filing systems pursuant to the wording of the Act effective as of 15 April 2014.
Fines for breaching the provisions of the Act on Protection of Personal Data
The amendment also decreases the amounts of fines that might be imposed by the DPA for breaching the provisions of the Act on Protection of Personal Data. The highest amount of the fine that the DPA may impose was decreased from EUR 300,000 to EUR 200,000, and with respect to the majority of the fines the amendment states the fines might be imposed, and thus imposition is to be based on the discretion of the DPA. Pursuant to the wording of the Act on Protection of Personal Data that was valid until 14 April 2014, when the DPA determined a violation of the provisions of the Act, it was obliged to impose a fine.
As described above the amendment of the Act on Protection of Personal Data introduces certain ease in the data protection regulation in the Slovak Republic and its adoption is undoubtedly positive news for entrepreneurs carrying out activities on the territory of the Slovak Republic.
Slovak Data Protection Authority unveiled its targets for inspections in the second half of year 2014
Slovak Data Protection Authority ("Slovak DPA") for the first time unveiled its targets for the inspections during the second half of the year 2014. The list of targets was published on the website of the Slovak DPA on 15 April 2014. Pursuant to information obtained from the Slovak DPA the targets for inspections will be regularly published also for subsequent periods.
The targets for inspections are the following:
Consular workplaces of the selected representative offices in the Slovak Republic; National central office SIRENE State customs authorities Travel agencies and airline operators - focus on legality of the cross-border transfers of personal data to third countries not ensuring adequate level of protection of personal data, security of processing of personal data, destruction of personal data, notification and keeping records of filing systems E-shops, i.e. providers of information society services - focus on legal basis for processing of personal data, notification of filing systems, security of personal data processing, obligations of the controller with respect to the processor Retails chains providing loyalty programmes - focus on the legal basis of processing of personal data and notification of filing systems Employment brokerage agencies - focus on processing of personal data of job applicants, collection of personal data, obligation to provide information to the data subjects, destruction of personal data Personal motor car rental companies - focus on notification of filing systems and collection of personal data Alternative suppliers of gas and electricity - focus on compliance with obligation to provide information to data subjects and the security of personal data Leasing companies - focus on compliance with obligation to provide information to data subjects and the security of personal data Non-bank entities providing loans - focus on compliance with obligation to provide information to data subjects and security of personal data, legal basis for provision of personal data of the clients (consumers) into the inter-bank databases.
The new "Life Gene" Act
On 1 November 2013 the so-called "Life Gene" act entered into force in Sweden, the Act on registers for research on the health implications of heritage and environment on people's health (2013:794) (Swe: Lag om vissa register för forskning om vad arv och miljö betyder för människors hälsa) (the "Act"). The reason for the implementation of the Act is that since the Personal Data Act (1998:204) and the Act concerning the Ethical Review of Research Involving Humans (2003:460) were implemented in the end of the 1990’s/early 2000 it has not been possible to keep person identified research registers or databases for purposes which is general or widely defined or to save personal data for purposes which have not yet been defined to be able to use the data later for future research. The Act makes it possible for certain universities and colleges to process personal data in research projects dealing with the implications of heritage and environment for developing different deceases and the health of human beings with generally or widely defined purposes, provided that the data subject has given his or her expressed consent to such processing. The Act states that the Swedish Government through instructions decides which universities and colleges that may process personal data under the Act. The Act will be in force until 31 December 2015.
Sweden's first summary imposition of a fine has been issued to companies for non-compliance with the Personal Data Act
About a year ago, it was discovered that all municipal housing companies in Gothenburg, Sweden, had registered sensitive personal data, e.g. ethnicity and health status, of their tenants. The Swedish Data Inspection Board (the "DIB") initiated an inspection of the processing conducted in the companies and the DIB found that the companies had processed sensitive data in violation of the Personal Data Act (1998:204) (the "Act"). The Swedish Union of Tenants (Swe: Hyresgästföreningen) reported the incident to the police. On 4 March 2014 the reported incident resulted in that a prosecutor issued a summary imposition of a fine of SEK 20 000 for each of the municipal housing companies for the processing of sensitive data in violation of the Act. The decision is unique due to the fact that the companies were considered guilty and not just individuals at the companies, which is normally the case. The decision may be a warning sign for companies through the clarification that a company in itself might be held liable for processing of data in violation of the Act.
Use of the social security (AVS) number
Sylvain Métille, Head of Technology and Privacy, and Nicolas Guyot, Associate, BCCC Attorneys-at-Law LLC
The Federal Council intends to use the old-age and invalidity insurance (AVS) number for maintaining the land register and civil register.
The Federal Data Protection and Information Commissioner (FDPIC) expressed his concern about the use of the AVS number within and outside the whole administration as universal personal identifier. For the FDPIC, it could lead to major risks for data protection since there would be no prevention against unauthorized matching by technical means of personal data.
The FDPIC is in favor of the use of a sectorial identifier whose access would be restricted to persons who need it.
Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number 0C340318 and is regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 15 Fetter Lane, London EC4A 1JP.
Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses and has offices in the locations listed on our web site: twobirds.com.
A list of members of Bird & Bird LLP, and of any non-members who are designated as partners and of their respective professional qualifications, is open to inspection at the above address.
Please note that the fine in these cases is of 900 to 40,000€, and will be calculated depending on (i) the duration of the infringement, (ii) the volume of processed data, (iii) the connection of the entity in breach with the processing of said data, (iv) the billing of the entity in breach, (v) the profits obtained from the violation, (vi) intentionality, reoccurrence, (vii) nature and quantity of damages, (viii) that the violation is an exception as regards their ordinary data collection protocols and (ix) any other relevant circumstance regarding the entity’s diligence.
The maximum fine in these cases is of 30,000€, and will be calculated depending on (i) intentionality, (i) the duration of the infringement, (iii) reoccurrence, (iv) the nature and amount of the damages caused, (v) the profits obtained from the violation and (vi) the billing amount regarding said infraction.
 available only in Slovak language on the following link: http://www.dataprotection.gov.sk/uoou/sk/content/plan-kontrol