GDPR News – September 2021
Selected GDPR decisions from the month of September
WhatsApp fined EUR 225 million for inadequate information
In 2018, the Irish Data Protection Commission initiated extensive investigations on whether WhatsApp complied with the transparency principle. The DPC examined whether WhatsApp observed its obligations under the GDPR regarding compliance of the obligation to inform and the transparency in the obligation to inform towards users and non-users of WhatsApp. During the investigation, the DPC found that WhatsApp had seriously violated Article 12, 13 and 14 of the GDPR in respect of the information provided to users.
Following the investigation, the DPC presented its draft decision in December 2020 to the other concerned European supervisory authorities. Subsequently, the DPC received objections from eight supervisory authorities. As the DPC could not reach any consensus with the supervisory authorities, the DPC initiated a dispute resolution process pursuant to Article 65 of the GDPR on 3 June 2021. Based on a number of factors, the European Data Protection Board (EDPB) required that the DPC should reassess and increase its proposed fine. In addition to the infringements which the DPC had already found, the EDPB found that WhatsApp had violated the transparency principle under Article 5 (1), lit. a of the GDPR, and required the DPC to take such circumstance into consideration when deciding on the final amount of the fine. On these grounds, the DPC set the fine at EUR 225 million.
Regarding Articles 12 and 13, the DPC found that WhatsApp had not provided information “in a short, transparent, concise, easily accessible and easy to understand, and in a clear and plain language” about the kind of data collected. The DPC made clear that the transparency principle also includes making information easy for children to understand when addressed to them.
Among others, WhatsApp had provided information of such general character that the DPC regarded it as meaningless. Often, users had to go through several links to find FAQs in order to obtain information which they could not find elsewhere on WhatsApp’s website. In that connection the DPC found that it would be unreasonable to expect that users would search the WhatsApp website after not having found adequate information in the declaration of confidentiality.
In respect to Article 14, one of the issues was that a user’s consent gave WhatsApp access to the user’s contacts. The DPC found that such data had been illegally processed since such contacts (in particular the ones with no WhatsApp account) had not received any information about this processing and could thus not in any way have provided their consent. Considering the severity and the farreaching character of the infringements, the DPC concluded that WhatsApp had also violated the transparency principle under Article 5 (1), lit a.
Fine for failing information about tv-surveillance
The Spanish data protection agency (the AEPD) levies fine of EUR 1,000 against a hairdresser’s
The hairdresser (the data controller) had set up tv-surveillance in the saloon. Meanwhile, the hairdresser had not informed about such data processing according to Article 13 of the GDPR, hence, the AEPD issued a fine against the hairdresser. The AEPD noted that observance of the obligation to inform could have been met by hanging up a poster in the saloon providing such information.
Danish municipality (Favrskov) reported to the police and should expect a fine for an inappropriate level of security
On 19 August 2020, the Danish DPA received a notification from the Danish Municipality of Favrskov about a personal data breach. The notification stated that a laptop computer holding names and personal ID numbers of about 100 persons with physically and/or mentally reduced functional capacity had been stolen during a breakin to the offices of the municipality.
The harddisk of said computer was not encrypted, and the programme, in which the confidential and sensitive personal data were stored, was not installed with safety measurements for logging the usage of the programme.
The DPA established during its investigation of the matter that the municipality also for a long period before 12 August 2020 had not ensured encryption of the municipality’s laptop computer harddisks which entailed an inappropriate level of security.
The requirements of Article 32 of the GDPR set out that the municipality has a duty to ensure that data being processed by employees of the municipality are not made available to anyone unauthorised. The DPA found (i) that the municipality had not provided for appropriate technical measurements ensuring a level of security adequate to provide for the risks and rights of the data subjects, and (ii) that Article 32 had been severely violated.