GDPR News – May 2021
Selected GDPR decisions from the month of May
Court of law approves the opportunity for compensation in the event of a non-pecuniary loss following a data breach
At the end of 2018, four PCs were stolen from the town hall of Gladsaxe. A spreadsheet was stored on the local drive of one of the PCs containing personal data on 20,620 citizens for intermunicipal reimbursement purposes. The personal data consisted of personal ID numbers, names, addresses and in some cases summarising information about housing benefits and health information.
Usual safety precautions applied to the computer; i.e. user name and access code, but the data on the local drive had not been encrypted, and the storing of the spreadsheet on the local drive of the computer was a violation of the safety policies of the Municipality of Gladsaxe.
In consequence thereof, the Danish DPA recommended that the Municipality of Gladsaxe was fined DKK 100,000 (about EUR 13,500).
Subsequently, legal action was instituted against the Municipality before the District Court of Glostrup by seven of the citizens involved claiming compensation in the range DKK 7,500-30,000 (about EUR 1,000-4,000).
The Court began by concluding that the Municipality of Gladsaxe had not as the data controller complied with the regulations of the GDPR in respect of secure processing.
Meanwhile, the seven citizens had not suffered any financial loss, hence, the Court had to decide whether Art. 82 of the GDPR, which only refers to compensation for material or immaterial damage, also provides an opportunity for compensation in the event of non-pecuniary loss. The District Court of Glostrup found that Art. 82 of the GDPR should be interpreted in such way that it also comprises compensation in the event of non-pecuniary loss.
Following an assessment of the data breach compared with the kind of and the character of the summarising information about each of the seven citizens comprised by the breach, the Court concluded that they had not suffered damage entailing grounds for claiming compensa-tion.
The press release from the District Court of Glostrup is available here (in Danish).
Norwegian DPA notifies fine of NOK 5 million for transferring data to China
The Norwegian DPA has notified a fine amounting to NOK 5 million (about EUR 490,000) towards company Ferde, which, i.a., collects road tolls for several Norwegian municipalities.
Vehicles passing through a toll station are registered by Ferde for the purpose of charging road tolls. It is possible to buy a chip which automatically registers the passage.
If the chip is not correctly registered or the vehicle is not equipped with a chip, a photo is taken of the registration number of the car which is subsequently sent for digital processing. In cases where the picture quality is too poor for automatic recognition, the photo is transferred for manual processing.
The photos processed show the lower part of the vehicle, including number plate, however, the driver of the vehicle cannot be identified in the photo. The time and which toll station was passed also show in the photo. Ferde and the DPA agree that this constitutes processing of personal data in the sense of the GDPR.
The manual photo processing was, i.a., carried out by a sub-supplier with staff in China, who through a web solution and Ferde’s own IT systems had access to the data, which Ferde itself has described as a transfer of data to a third country according to the GDPR.
The DPA stated that it is basically not permitted to transfer personal data to countries outside the EU/EEA, unless the recipient (outside the EU/EEA) has provided the “necessary guarantees” for secure processing, and the data subjects are able effectively to exercise their rights regardless of the transfer.
In respect of this case, the DPA concluded as follows:
- Ferde only entered into a data processing agreement with its Chinese sub-supplier in September 2018, although the personal data processing already had commenced in September 2017, which constitutes an infringement of Art. 28 of the GDPR.
- Ferde had not made a risk assessment in the period from September 2017 until Oc-tober 2019, during which time data had been surrendered to the Chinese data processor, which constituted an infringement of Art. 32, Art. 5 (1) (f) and Art. 5 (2).
- Ferde had no grounds for transferring personal data to China during the period from September 2017 until autumn 2019, and the DPA regarded this an infringement of Art. 44 of the GDPR.
The DPA’s prior written notification to Ferde dated 4 May 2021 is available here (in Norwegian).
Fine of EUR 7,000 issued in consequence of not reporting personal data breach
The Dutch DPA (AP) has issued a fine of EUR 7,500 to a local division of the political party PVV in Overijssel (PVV Overijssel) for not having reported a personal data breach to AP, which is contrary to Art. 33 of the GDPR.
On 11 January 2019, AP received a complaint about a possible infringement of the GDPR. The person filing the complaint claimed that PVV Overijssel on 10 January 2019 had sent an email invitation for an event to a group of 101 recipients. The 101 recipients were registered as “PVV’s friends” in the email. The list of recipients was visible to all recipients of the email message, including the person filing the complaint.
When replying to the invitation, the complainant made PVV Overijssel aware that PVV Overijssel had made all email addresses visible and directed attention to this in the light of the rules on confidentiality. In an email dated 11 January 2019, a member of staff of PVV Overijssel apologised for the circumstance towards the complainant. On 15 January 2019, the complainant received a new invitation for the same event from PVV Overijssel; this time without any visible email adresses.
AP found that it was a case of a personal data breach that should have been reported, since the 101 recipients were registered as “PVV’s friends”, and since the 101 recipients each were revealed towards the 100 others about their political belief.
AP found that PVV Overijssel had refrained from reporting the personal data breach without undue delay and not later than by 72 hours after PVV Overijssel had been made aware of the infringement on 11 January 2019; hence PVV Overijssel had violated Art 33. of the GDPR.
In the decision APV states that AP until this date still has not received any report from PVV Overijssel, hence the infringement is still ongoing.