GDPR News – August 2021
Selected GDPR decisions from the month of August
The Danish Immigration Service reported to the Police and is facing a DKK 150,000 fine (about EUR 20,200)
The Danish DPA initiated the matter when they through various media found out that a possible logging error present in an IT system related to two deportation centres could have affected the rights of the residents.
In June 2020, several data breaches occurred when an IT system failed to log activities on the residents of the two deportation centres, i.a. regarding the residents’ observation of obligations and rules as immigrants. The failing registration entailed that casework was initiated for reducing some of the residents’ cash benefits and several residents were reported to the police for not observing the provisions under the Danish Aliens Act.
The DPA found that the processing of the Danish Immigration Service (DIS) of personal data was in contradiction to the rules on appropriate security measures since the DIS had not implemented procedures for a systematic application of data from the log registering the residents’ activities in the two deportation centres.
In addition, the DPA found that the DIS had not identified and taken into account the risks pertaining to the data subjects in connection with the data processing in the system.
Finally, the DPA found that the DIS had not carried out adequate backup of the data that was processed in the system which was the reason why the DIS could not regenerate a lot of the data that went missing during the IT failure in June 2020.
The DPA noted that where data is used in criminal cases or is used for control measures subject to sanctions, it must be ensured that all activities are logged, and that a safety backup is made with intervals ensuring that data is not lost in the event of IT failures. The DPA also noted that backup procedures must be tested according to a “disaster recovery test” with intervals fixed depending on the risk there may be to the data subjects’ rights.
The DPA reasoned its decision by stating that it is important that trustworthiness remains about data which is processed by authorities and forwarded to the police, and which eventually might end up as evidence in court. The DPA assessed that it is very important that such data are correct since it is not only a question of loss of rights on the part of the people at issue, however, it will also entail failing confidence in both authorities and the courts of law if the data are incorrect.
Fine in consequence of video surveillance conflicting the GDPR
The Norwegian DPA has issued a NOK 100,000 fine (about EUR 9,600) to beauty parlour Waxing Palace AS specialising in hair removal using wax, since the beauty parlour had video monitored the reception in contradiction to the GDPR.
It follows from the GDPR that all processing of personal data must be subject to a lawful basis for processing. Following an actual complaint about the usage of a surveillance device in the premises of the beauty parlour, the DPA assessed that the parlour had no lawful basis for the video surveillance, nor did they inform sufficiently about the surveillance. The DPA found that the illegal video surveillance affected both staff and customers of the beauty parlour. The surveillance did not comprise areas of the parlour where treatments were made. Nevertheless, the DPA took into account that the business is of a kind where many customers will expect their visit there to be of a private matter and not a situation which may become subject to video monitoring.
Finally, the DPA also noted that the data controller must always inform about its data processing to the data subjects whose personal data is being registered. In the current matter, such information must, among others, ensure that it is clear to the data subject which areas are caught by the camera.
The deadline for Waxing Palace AS to file a complaint about the decision was on 20 August 2021.
EUR 2 million fine for data processing in connection with a customer loyalty program
According to the media, the Austrian data protection agency (Datenschutzbehörde) has issued a EUR 2 million fine to JÖ-Bonus Club GmbH, an Austrian multipartner program through which some benefits can be obtained from different partners.
To join the loyalty program, a consent is required. Meanwhile, the consent was constructed in such way that it did not comply with the rules of the GDPR because the consent declaration did not adequately inform that the users consented to profiling. According to the GDPR, information about personal data processing must be in an easily accessible form, using clear and plain language. However, JÖ-Bonus Club had designed the registration for the loyalty program in such way that information about the profiling could only be found if scrolling downwards. The consent itself had been placed higher up so that the consent was obtained before the information about the profiling was made.
JÖ-Bonus Club had realised the error and corrected it following an approach from the Austrian DPA. Nevertheless, the processing of data on approx. 2.3 million individuals, who had already provided their (invalid) consent, continued.
The DPA concluded that JÖ-Bonus Club had breached its obligation to provide a consent in an easily accessible form, using clear and plain language. Therefore, the DPA found that the consents were invalid and that the profiling made on the basis of said consents was illegal. It was considered an aggrevating circumstance that the processing continued regardless JÖ-Bonus Club knowing that the consents obtained were invalid.