Selected GDPR decisions from the month of June
Company with less than 10 employees fined EUR 20,000 for its handling of passwords and TV surveillance
The French DPA has issued a fine to the small translation agency UNINTRAD COMPANY, because the employees did not have personal passwords for their e-mails, nor were the employees adequately informed about the TV surveillance installed and that the TV surveillance was done constantly. The DPA had previously twice called attention to the violations.
The decision demonstrates the importance of complying with the DPA’s orders and helps illustrate that small companies are not exempted from being imposed with fines.
Copenhagen underground service legitimately refused to disclose TV surveillance recordings
Generally, the GDPR stipulates an absolute right for data subjects to obtain access to personal data which a company processes about them. Meanwhile, the GDPR provides for Member States to restrict such right within certain legally prescribed areas so far as its restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society.
Denmark applies restrictions to this right if the data subject's interest in obtaining information is found to be overridden by essential considerations of private or public interests. Similar restrictions apply e.g. in the Czech Republic, the Netherlands, the UK and France.
By referring to the public interest, the Danish DPA determined that it was not contrary to regulations that Metro Service, a Copenhagen underground service, refused to give a passenger access to the TV surveillance recordings.
According to the DPA, the public interest in maintaining the location of cameras as a secret – and therefore also any blind spots – was of greater importance than the passenger's interest in his right to access because the request was made without being specifically reasoned. A specific reason for gaining access to (parts of) the recordings could e.g. be a fall injury.
Football app fined EUR 250,000 for secretly tapping users
Top Spanish football league, La Liga, has by means of its app of the same name collected data on nearly 5 million Spanish users’ location and in that connection switched on the microphone of users’ telephone/tablet when in pubs or similar places. By analyzing the audio track with an algorithm, it could be established whether the pubs, etc. were broadcasting football games without a license for doing so.
Although the users when downloading the app had consented that the app could access their location and microphone, the Spanish DPA found that La Liga’s use of such data had not been clearly and distinctly informed to the users. Hence, it was contrary to the lawfulness, fairness and transparency principle. The DPA also found that the consent was invalid as the users did not have the option of withdrawing their consent.
Interestingly, the Spanish DPA found that the lawfulness, fairness and transparency principle in fact implies a requirement for La Liga to provide additional information every time a recording is made. The DPA reasoned this by stating that “it is impossible for the user to remember what he has and what he has not consented to each time he uses the La Liga app”. As a potential solution, the DPA suggests that an icon with a microphone pops up to the screen each time recordings are made from the telephone in question.
Danish furniture retailer to expect fine of DKK 1.5 million (approx. EUR 210,000) for lacking erasure of personal data
In 2018, the Danish DPA carried out a number of inspections focusing on the erasure of personal data, which in March implied that TAXA 4x35, a Danish taxi company, was imposed with a fine of DKK 1.2 million (approx. EUR 160,800) (read about the case here
). Now IDdesign, the head company of furniture retailers ILVA, IDEmøbler and IDdesign, is to expect a DKK 1.5 million (approx. EUR 210,000) fine.
The DPA found that IDdesign – like TAXA 4x35 – did not comply with the basic principle on storage limitation, according to which personal data must be erased or rendered anonymous once it is no longer necessary to store the data. Without any technical reasons, IDdesign possessed data belonging to about 385,000 customers. The DPA also found that IDdesign did not have adequately implemented and substantiated deadlines for erasure.
The decisions of the DPA illustrate that the scope of personal data is not in itself decisive for size of the fine seeing that TAXA 4x35 possessed significantly more personal data than ID-design and yet was issued a smaller fine.
Two important reasons for the difference in the amount of the fine are likely to be found in the fact that, unlike IDdesign, TAXA 4x35 had attempted, first, to anonymise the information and, secondly, to actually erase the data after a given storage period, which, however, was considered by the DPA to be too long.