GDPR News – July 2021
Selected GDPR decisions from the month of July
Recordings of phone conversations without prior consent made by the Danish Business Authority drew criticism from the Danish Data Protection Agency
A citizen submitted a complaint about the Danish Business Authority having recorded a phone conversation between him and the authority on 26 June 2020 without first having obtained any consent.
On 3 June 2020 the citizen approached the Danish Business Authority with the purpose of informing them that the authority’s practice of recording phone conversations was contrary to the DPA’s guidelines for doing so, since the authority’s recordings were made without first having obtained consent.
On 24 June 2020 the Danish Business Authority replied to the citizen and specified the purpose of the recordings, including its basis for processing. The Danish Business Authority informed that that purpose of recording all incoming phone calls to its customer call centre was partly to protect the employees in the call centre, and partly quality assurance in order to provide better guidance. The Danish Business Authority informed the citizen that the recordings were made in accordance with Article 6 (1) lit. d and e of the GDPR.
On 25 June 2020, the citizen commented on the reply of the Danish Business Authority and also sent a complaint to the Danish DPA.
It was revealed when handling the matter that since 1 June 2018, the Danish Business Authority had recorded all incoming phone calls to the customer call centre of the authority.
The DPA found that the general practice of the Danish Business Authority – according to which all phone calls, without exception, from citizens, businesses, etc, calling the authority for advice and guidance – could not be regarded as necessary for carrying out an assignment in the interest of the public, nor as belonging under any exercise of a public authority.
The DPA took into consideration – i.a. in relation to the regulatory assignments under the Danish Business Authority – that it must be assumed to be an exception that citizens and businesses would call and threaten employees of the authority in such way that would give rise for the authority to file a police report.
The DPA also found that the recordings made by the Danish Business Authority of phone conversations to ensure quality assurance and for training purposes may only be made on the basis of a consent from the data subjects.
On those grounds the Danish DPA expressed severe criticism of the processing of personal data by the Danish Business Authority in relation to its recordings of phone conversations.
Antigen test operator Medicals Nordic I/S reported to the police and faces a DKK 600,000 fine (approx. EUR 80,700)
The Danish DPA has reported Charlottenlund Lægehus Medicals Nordic I/S (“Medicals Nordic”) to the police for having processed confidential data and health information on citizens in connection with COVID-19 tests without the business having established the necessary safety measures for processing said data. The DPA has recommended a fine of DKK 600,000 (approx. EUR 80,700).
In January 2021, the DPA was notified about Medicals Nordic using the application WhatsApp for transmitting confidential data and health information on citizens who had been tested in the test centres of the business.
On those grounds, the DPA initiated the case on its own initiative in order to clarify, i.a., whether Medicals Nordic had implemented appropriate and technical safety measures in connection with the transmission of citizens’ data. The DPA hence found that in several cases, Medicals Nordic had not implemented satisfactory safety measures.
Through WhatsApp, employees of Medicals Nordic used their private mobile phones for transmitting confidential data on citizens to the central administration of the business. Medicals Nordic had set up a WhatsAPP group for each of the four test centres run by the business.
All employees working in one test centre was invited to become a group member of the WhatsApp group of the test centre in question. Members of a WhatsApp group would then receive all messages transmitted by members of that WhatsApp group.
This meant that employees who – in the opinion of the DPA – did not have an occupational need for processing data, which other employees had to transmit to the central administration, also received the data which comprised, i.a., personal ID numbers and health information on citizens.
An inadequate access control of groups also entailed that employees who were no longer employed were not removed from the WhatsApp groups, and could therefore still access the data being transmitted in the groups.
In its decision, the DPA took into account that confidential data and health information about a large number of citizens had been processed insecurely and forwarded to unauthorised individuals, including employees without an occupational need for receiving said data. In addition, the issue also comprised employees who were no longer employees of the business.
The DPA also took into account that the violations in several cases – in the opinion of the DPA – had been made deliberately since Medicals Nordics had failed to carry out adequate risk assessments in connection with the processing.
Amazon fined EUR 746 million
Online giant Amazon has been fined EUR 746 million for violating the GDPR.
The authority for data protection in Luxemburg (CNPD) issued the fine as Amazon’s European sister company is situated in Luxemburg.
The fine was already issued on 16 July 2021 but only became publicly known in connection with Amazon’s interim financial statement, as Luxemburg legislation provides for a duty of secrecy from authorities in such matters. Amazon has announced that the business disagrees with the decision and that the business intends to pursue the decision legally.
It has not been precisely informed how Amazon has violated the GDPR, but according to several media, it is a case of unauthorised use of customers’ data in connection with obtaining and processing personal data.
The decision is made on the basis of a complaint filed in 2018 by the French privacy organisation, La Quadrature du Net, who represents more than 10,000 of the tech giant’s customers. The group is complaining that Amazon is making money on monitoring what kind of information and advertising the customers receive.
The largest fine issued so far for violating the GDPR was issued in 2019 where the French DPA (CNIL) imposed a EUR 50 million fine on Google. Hence, this is a substantial increase in the fine level for violating the GDPR.