The French privacy regulator CNIL reviews the criteria and practical consequences of determining the GDPR role of data controllers and processors. The qualification does not always depend on a contractual choice but on the facts: who decides what, and who executes what, concerning personal data. The controller is the natural or legal person who determines both the purposes and the means of the processing, the “why” and “how” of the use of personal data, ensures compliance with the GDPR, but does not necessarily have actual access to the data:

• The essential means: what personal data is collected and used, for how long, who the recipients are, etc.
• Non-essential means: technical implementation, such as the choice of software.
• Where two or more controllers jointly determine the purposes and means of the processing, they are joint controllers.

The processor, meanwhile, is a person or body that processes personal data on behalf of the controller. They must always comply with the instructions given by the controller. Sometimes, they can choose the technical means that seem most suitable, as long as this respects the objectives set by the controller. If the processor decides on the objectives and means itself they exceed their GDPR role. In this case, they are considered to be the data controller and may be sanctioned. 

Only under certain conditions may the processor reuse the data entrusted to them by the data controller for their own purposes. For example, a subcontractor may reuse data for the purpose of improving its cloud computing services. Such re-use could be considered compatible with the original processing, subject to appropriate safeguards such as anonymisation. On the other hand, their reuse for commercial prospecting purposes would hardly satisfy the “compatibility test”.

Stay up to date! Sign up to receive our fortnightly digest via email.

UK data reform

The Data Use and Access Bill (DUAB) has passed Parliament and now awaits the Royal Assent, when it will become law. The bill introduces a framework of ‘smart data’ schemes to regulate the access, sharing, and protection of customer and business data across various sectors. It introduces, among other things, a recognised legitimate interest list to streamline data use for public safety, interoperable medical records and timely access for professionals, while maintaining a risk-based approach to automated decision-making and sensitive personal information, etc. The UK Information Commissioner is tasked with enforcing the regulations that will be introduced under the bill. The UK now benefits from the EU’s adequacy regime for personal data transfers, which was extended by six months on the Commission’s recommendation, until the end of 2025. This allows the UK government to complete the DUAB in advance of Brussels’ next adequacy assessment.

More legal updates

EDPB latest: The European Data Protection Board has published the final version of guidelines on data transfers to third-country authorities. The EDPB clarifies how organisations can best assess under which conditions they can lawfully respond to requests for personal data from non-European authorities. For example, the updated guidelines address the situation where the recipient of a request is a processor, or where a mother company in a third country receives a request from that country’s authority and then requests the personal data from its subsidiary in Europe. 

The EDPB also published training material on AI and data protection addressed to professionals with a legal and technical focus, such as data protection officers, privacy professionals, cybersecurity professionals, developers or deployers of high-risk AI systems. 

High-risk AI: The European Commission opened a consultation on the classification of AI systems as high-risk as part of the implementation of the AI Act, until 18 July. AI systems that classify as high-risk must be developed and designed to meet the requirements about data and data governance, documentation and record-keeping, transparency and provision of information to users, human oversight, robustness, accuracy, security and more.  The purpose of the survey is targeted consultation to collect input from stakeholders on practical examples of AI systems and issues to be clarified in the Commission’s guidelines. 

Australia privacy updates: The Bird&Bird legal blog explains that from 10 June 2025, Australia’s statutory tort for serious invasions of privacy comes into force. Passed by Parliament last year as part of a privacy reform, it introduces several causes that could trigger a legal action and remedies: a) invasion of privacy, b) reasonable expectation of privacy, c) fault element, d) seriousness, and e)  public interest balancing. Read more details on who will be exempt from these rules in the original publication. 

Pixel tracking

The French regulator CNIL opened a public consultation on its draft recommendation (in French) on the use of tracking pixels in emails. The objective is to help the actors who use these trackers to better understand their obligations, particularly in terms of collecting user consent. Tracking pixels are an alternative tracking method to cookies. They take the form of an image of 1 pixel by 1 pixel, integrated into a website or an email, but invisible to the user. Loading this image, whose name contains a user ID, lets you know that the tracked user has visited a page or read an email. The consultation will close on 24 July.

More from supervisory authorities

Federated learning: The EDPS elaborated on the benefits and limitations of Federated Learning (FL) – an approach to Machine Learning (ML) by allowing multiple sources of data, (devices or entities), to train a shared model while keeping data decentralised collaboratively. From a personal data protection perspective, FL offers significant benefits by minimising personal data sharing, (data exchanged among the client devices and the resulting ML models can be treated as anonymous data), and purpose limitation. However, one of the primary concerns remains the potential for data leakage through model updates, as even without direct access to raw data, an attacker could infer sensitive information by analysing the gradients or weights shared between devices. Continue reading the EDPS analysis here. 

Unintentional disclosure: The situations in which personal data are unintentionally disclosed are increasingly occurring, according to the Bulgarian regulator CPDP. The most common cases concern: a) unintentionally or thoughtlessly providing data in a phone conversation or electronic communication with services – brokerage and investment services, marketing research etc, b) lost documents containing personal information, including copies of IDs, c) incorrectly provided documents to service providers, d) responding to misleading messages through phishing, smishing, and vishing. If you have inadvertently disclosed your personal information in the situations described above: 

• Save all messages, emails, phone numbers, documents and other relevant evidence. 
• If you have sent information to the wrong address, immediately contact the actual recipient or the one to whom you intended to send the message to inform them and seek any assistance.
• If you have managed to establish contact with the actual recipient, request to exercise your right to erasure. 
• Change passwords and enable two-factor authentication wherever possible. 
• Monitor your bank accounts, social media accounts, and other online platforms. 
• Tell your family, friends, colleagues so that they can take preventive precautions, etc. 

Vodafone multimillion fines

The German federal data protection authority BfDI issued fines totalling 45 mln euros as well as a reprimand imposed on Vodafone. The company uses different distribution channels, including local shops, some of which are operated by partner agencies. Investigations found privacy-related weaknesses in the processes to supervise and audit the processors as well as weaknesses in the IT systems leading to the risk of customer data being misused for fraud. Such risks actually materialised in some cases.

Furthermore, Vodafone offers an online service portal for its customers. When used in combination with the company’s hotline, investigations found weaknesses in the authentication process for the customer accounts that could lead to misuse of eSIMs, etc.

Spotify and Vinted fines upheld

In Sweden, an appeal court upheld the approx. 5.2 mln euro fine imposed on Spotify AB for noncompliance with the GDPR. The company must therefore pay a penalty fee. Spotify did not provide in a clear and easily accessible manner the information necessary for the data subject to be able to exercise their rights. It also failed to provide information about storage periods and criteria for determining these, and did not provide sufficient information about appropriate safeguards when transferring personal data to a third country or an international organisation. 

Similarly, the Regional Administrative Court in Lithuania rejected the complaint of UAB Vinted regarding decisions taken by the State Data Protection Inspectorate VDAI. The court found that all the examined factual circumstances and legal norms were assessed properly, and the regulator acted in accordance with the law and the limits of its competence. Last year, the VDAI fined the company 2.3 mln euros for GDPR violations:

• improper processing of requests from personal data subjects to delete their data and insufficient and unclear information provided;
• improper implementation of the accountability principle;
• processing of personal data through so-called shadow blocking, which was carried out without a clear and lawful basis.

In other news

Pixels tracking fine: The Norwegian regulator has audited six websites’ use of tracking pixels. All of them shared visitors’ personal data with third parties without any legal basis, (eg, visitors were “duped” into consent), and in several of the cases, the data was sensitive. These websites were – online pharmacy, services for vulnerable children, medical services, information about various diseases, conditions and diagnoses, and a website that sells bibles. The information included which websites people visited, what actions they took, or what they added to their shopping cart.

The regulator also found violations of the duty to provide information. In one of the cases, it imposed a fine of approx. 22,000 euros. 

Online pharmacy user tracking fine: Finland’s data protection agency meanwhile issued a 1,100,000 euro fine against the pharmacy company Yliopiston Apteekki because of data protection shortcomings, also related to the use of tracking services. The regulator started investigating the practices of the company after a doctoral researcher from the University of Turku contacted them. Using network traffic analysis, the researcher found data protection deficiencies in Finnish online pharmacies as part of research focused on the functioning of health-related online services.

Yliopiston Apteekki had used cookies and other tracking technologies for its online pharmacy in a manner that transmitted data on users’ interactions with the shop related to prescription medicines and over-the-counter medicines directly to Google and Meta, among others. For example, the tracking service providers received data on when a customer added a product to their basket and clicked the purchase button. The transmitted data also included users’ IP addresses and other identifying data. If a user was logged in to their Google or Facebook account when they used the online pharmacy, Google and Meta could have directly identified them. 

23andMe bankruptcy case

23andMe’s customers should be given the opportunity to consent to the sale of their personal data to whoever buys the company’s assets, a consumer privacy ombudsman has told the bankruptcy court handling 23andMe’s case, VitalLaw law blog reports. An alternative safeguard would be for the consent request to come from the winning bidder. The question of what happens to 23andMe’s data upon sale has attracted significant interest from privacy advocates, lawyers and politicians, with US congressional hearings and calls for legislation to protect genetic data. You can view the whole 211-page ombudsman report into 23andMe’s planned sale of customers’ personally identifiable information here. 

In case you missed it 

Diversity at work: In a context of increased awareness of the fight against discrimination, more organisations want to measure the diversity within their workforce. Diversity measurement surveys distributed by employers to their employees collect personal, sometimes sensitive, data, explains the French CNIL, and must be accompanied by guarantees, in accordance with the GDPR. These surveys must remain optional, and employees or agents must be properly informed and their rights respected. The CNIL also recommends favouring anonymous surveys and limiting the data collected with closed-ended questions. Further advice for employers (in French) can be read here. 

AI assistants industry: Building AI assistants that fit into our daily lives is a top priority for the AI sector. Privacy International says that companies in this field need to respond to concerns about how they will secure our data. The fact that AI tools need a lot of processing power to perform some tasks is perhaps too much for a personal device. Thus, cloud-enabled synchronisation is how the corporations address that problem. Once the data leaves the device, businesses could use it to train their systems, and they might grant access to your data to their employees and service providers. These surpass what a consumer may reasonably expect. Therefore, AI firms must inform users about: 

• How do I have granular control over access to sensors, data and apps?
• How can I easily access settings to retract consent?
• Where is the clear information on what data is used to respond to a query?
• How can I access and delete any data accessed and used by the Assistant?

According to PI, this is why it is crucial that users insist that their data be processed on their devices as much as possible and used only for specific and limited reasons.  

The post Data protection digest 2-16 June 2025: Data controller, processor, how to properly identify your GDPR role appeared first on TechGDPR.

Upon termination of a processing agreement, the controller is obliged to monitor the deletion of personal data held by the processor. Such was a ruling by the Higher Regional Court of Dresden, Germany, closely looked at by a DLA Piper analysis. The plaintiff was a user of the online music streaming service run by the controller. A data breach at a former external, (non-EU), processor of the controller in 2022, involving the personal data of clients, set off the case (hackers offered this data for sale on the dark web). The controller-processor relationship came to an end several years before the data breach, in 2019. As per the terms of the data processing agreement, the controller had the option to either delete or return the data once processing was complete. However, the controller never exercised this right. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Data subject rights under the DSA

On 21 April, the European Commission established internal regulations limiting certain data subjects’ rights, (information, access, rectification, erasure, and notification of breaches), under the Digital Services Act. It encompasses the personal data of suspects, victims, whistleblowers, informants, witnesses, and staff of undertakings, under the Commission’s supervisory, investigative, enforcement, and monitoring activities. The Commission must publish a data protection notice and inform affected individuals where appropriate. 

TikTok fine

The Irish privacy regulator DPC has fined TikTok 530 million euros after an inquiry into transfers of EEA users’ data to China, (enabling storage and access to it). The inquiry also examined whether providing information to users about such transfers met TikTok’s transparency requirements as required by the GDPR. TikTok first informed the DPC that it did not store EEA user data on servers located in China. However, later on, TikTok informed the DPC that it provided inaccurate information to the Inquiry. Whilst TikTok has informed the DPC that the data has now been deleted, the regulator is considering whether further regulatory action, in consultation with peer EU Data Protection Authorities, may be warranted.

COPPA Rule

On 22 April, the US Federal Trade Commission adopted final amendments to the Children’s Online Privacy Protection Rule to enhance content moderation and data protection for children under 13. The amendments will take effect on 23 June, with full compliance required by 22 April 2026. It introduces a new definition for “mixed audience website or online service.” It also requires operators to implement age screening methods that are neutral and to avoid collecting any personal information before determining the user’s age, with few exceptions.

In the meantime, the first US state, Arkansas, approved the Children and Teens’ Online Privacy Protection Act, which was modelled after the pending federal law known as COPPA 2.0. Consent requirements, data minimisation, targeted advertising restriction, data subject rights, and data security are all applicable to any for-profit operator of a website, online service, or app that targets children or teenagers or knows that it is gathering their data. 

More from supervisory authorities

The Data Act: The European Data Act will take effect on September 12. Manufacturers of internet-enabled devices will then be required to share the data sent by connected devices with third parties, explains the Hamburg data protection authority. Machines, household appliances, and vehicles connected to the internet generate large amounts of data every day. Those wishing to take advantage of the act should familiarise themselves with access rights. Those subject to the obligations of the act must prepare for access requests and develop strategies for protecting personal data and trade secrets. 

To that end, the regulator offers the manual “The Data Act as a Challenge for Data Protection” (in German). 

Multi-device consent: The French CNIL launches a public consultation on its draft recommendation (in French). The guidance concerns actors who plan to collect cross-device consent only when users are authenticated to an account. When a user accesses a website or a mobile app, they express their choices about the use of cookies or other trackers on a device connected to their account. These choices would be automatically applied to all devices connected to their account. This includes, but is not limited to, their smartphone, tablet, computer or connected TV, as well as the browser or app used.   

Children’s code: In the UK, Ofcom issued a draft Protection of Children Code of Practice for search services under the Online Safety Act 2023. Implementing the list of recommended measures set out in this Code will inevitably involve the processing of personal data. The Information Commissioner’s Office has already set out that it expects service providers to take a ‘data protection by design and by default’ approach when implementing online safety systems and processes. Over time, Ofcom might update the Codes to take account of technological developments.

Customer data

What should merchants consider when recording telephone conversations with customers? The Latvian data protection regulator explains. A voice recording becomes personal data when it can be linked to a specific person. Therefore, such data processing must be carried out under the requirements of the GDPR:

• An appropriate and as specific as possible purpose must be defined for such data processing, (eg, improve the quality of the advice or service provided and thus to communicate with customers, as well as possibly to promote sales).  
• The recordings may only be used to achieve the specified purpose and not for other, unrelated purposes.
• A balancing test must be carried out to determine whether such processing would unduly prejudice the customers’ rights to data protection.
• Conversation recordings may only be kept for as long as necessary to achieve the goal. 
• Access to records should be limited to authorised persons whose tasks are directly related to the purpose of processing the records.
• When recording telephone conversations with customers, the merchant must inform them at the beginning of the conversation about the recording.

In parallel, the Estonian data protection agency issued new practical guidance to help online stores protect their customers’ data (in Estonian). It provides advice on ensuring data security, preventing cyber threats, and managing risks for both new and experienced online retailers, highlighting, among other things, the importance of strong authentication, encryption and log management, as well as the need to carefully evaluate cooperation with third-party service providers, data breach response and employee training.

Synthetic data generation

The Spanish AEPD has published the Spanish translation of the Guide to synthetic data generation, prepared by the Singapore data protection authority.  Synthetic data is artificially generated to simulate real data and must retain its essential statistical characteristics to be useful without compromising personal data. Its generation must be carefully planned, falling along a spectrum ranging from completely random data to real data. The guide includes practical case studies on the best practices for generating synthetic data and reducing residual re-identification risks.  

More official guidance

NIST cybersecurity guide: America’s NIST has updated its Privacy Framework, tying it to recent Cybersecurity Guidelines. It is intended to help organisations manage the privacy risks that arise from personal data flowing through complex IT systems. Furthermore, failure to manage these risks effectively can directly affect individuals and society, potentially damaging organisations’ brands, bottom lines and prospects for growth. Following the comment period, (until 13 June), the NIST will consider additional changes and release a final version later this year.

Domestic cameras are not excluded from GDPR: The Liechtenstein data protection agency has supplemented its guide on video surveillance with information on surveillance within one’s own home. This means that data protection does not stop in your living room, at least not if the purpose of data collection is not exclusively for personal or family activities. This is particularly the case if the purpose is to ensure security or perform quality control, for example, the observation of staff or external third parties, (cleaners, gardeners, babysitters, etc.). This applies equally to video surveillance and pure audio recordings. 

Large databases: Art. 5 and 32 of the GDPR require controllers and processors to process personal data in such a way as to ensure an appropriate level of security, in particular regarding the risks of massive data exfiltration, as the French CNIL reminds us. These measures in large numbers can be implemented via the following procedures:

• Secure external access to the information system via multi-factor authentication
• Log, analyse and set limits on the data flows that pass through the information system
• Consider humans as security actors: organise regular awareness-raising sessions adapted to user profiles (employees, developers, managers, subcontractors, etc.)
• Emphasise the data controller obligation to supervise data security with subcontractors.

More content from the CNIL on cybersecurity can be found on this page.

In other news

Apple and Meta fines: The European Commission imposed the first fines under its Digital Markets Act, punishing tech behemoths Apple and Meta for violating the EU’s new digital regulations. Apple was fined 500 million euros for violating the rules governing app stores ( “anti-steering” obligation). In comparison, Meta was fined 200 million euros for its “pay or consent” advertising approach, which charges EU users to use Facebook and Instagram without advertisements.

Worcado AI detector: America’s FTC requires Workado to stop advertising the accuracy of its AI detection products unless it shows that those products are as accurate as the claimed 98%, as independent testing showed the accuracy rate on general-purpose content was just 53%. The company says that its AI Content Detector was developed using a wide range of material, including blog posts and Wikipedia entries, to make it more accurate for the average user. The FTC alleges, however, that the AI model powering the AI Content Detector was only trained or fine-tuned to effectively classify academic content. 

Facial recognition at football matches

The Danish data protection agency has granted FC Copenhagen and the Danish Football Association permission to use automatic facial recognition during international football matches. The purpose is to support the enforcement of the rules on club quarantines and general quarantines in connection with football matches. The technology can therefore be used for access control to Parken Stadium. The impact assessment must be carried out before the processing begins.

Personal data processed as part of the facial recognition system must be transported to and stored encrypted on the server using up-to-date and widely recognised encryption algorithms. This also applies to the use of mobile devices at away matches. 

More enforcement decisions

Proof of consent for marketing calls: The UK’s ICO fined AFK Letters 90,000 pounds for making more than 95,000 unsolicited marketing calls to people registered with the Telephone Preference Service. Between January and September 2023, AFK used data collected through its website and a third-party telephone survey company to make mass marketing calls without being able to demonstrate valid and specific consent from the people contacted. Despite AFK claiming it could not provide evidence of consent because it deleted all customer data after three months, when challenged it was also unable to provide consent records for several calls made within a three-month timeframe. 

User tracking: The Hamburg data protection authority launched a large-scale automated review campaign in mid-April. Most of the 1,000 websites randomly selected comply with data protection regulations; however, deficiencies were identified on 185 local websites. Various third-party web services, (Google Analytics, Google Maps, Google Ads, YouTube, Facebook, Vimeo, MS advertising, Pinterest), were activated immediately upon accessing the site, resulting in users being tracked without the legally required consent. 

Email security analysis tool errors: In Romania, the data protection agency fined BITDEFENDER, (a software company), the equivalent of 10,000 euros. The investigation was initiated following the submission by the company of a personal data breach notification. Due to a programming or implementation error in the update operation of the email security analysis service, a significant amount of customers’ personal data was disclosed to third parties. The operator did not implement appropriate technical and organisational measures and did not carry out periodic testing, evaluation and assessment, including of the continued confidentiality, integrity, availability and resilience of systems and services.

In case you missed it 

Revolut staff tracking: According to The Guardian, the fintech company Revolut has been monitoring employee behaviour and awarding or deducting points on an internal “Karma” system. Revolut’s annual report described the practice as ‘successful’ while also revealing that last year’s profits had more than quadrupled. The 2020-launched system tracks how effectively employees adhere to risk and compliance regulations, awarding and deducting points that eventually impact compensation. After those points are added up at the team level, the ultimate bonus for each employee is either deducted or multiplied.

CJEU knowledge base on data protection: The EU’s top court has published a Fact Sheet document on the Protection of personal data, to present a selection of seminal rulings on the subject and rulings that have made a significant contribution to the development of this case-law. The document relates to sector-specific rules, particularly in the electronic communications sector and criminal law, but also aims to present a selection of judgments dealing with rules which are applicable across multiple areas.

The post Data protection digest 18 Apr – 2 May 2025: data controller obligation to monitor deletion or return of personal data held by the processor appeared first on TechGDPR.

Legal redress

Pseudonymised (non-personal) data processing: In the instance of SRB v. EDPS, the European General Court ruled that pseudonymised data communicated by one party with another would not be regarded as personal data in the recipient’s hands if that party lacks a legal way to obtain the extra, identifiable information. The lawsuit resulted from the Single Resolution Board, (SRB), decision to conduct a shareholder poll in the case of Banco Popular Español, as part of which it shared the results with a consulting firm. In order to guarantee that replies could not be traced back to specific respondents, SRB pseudonymised the data. The decoding key that might identify specific responses from the alphanumeric codes was not given to the consulting company.

Additionally, the court did not rule out that personal views or opinions may constitute personal data. However, such a conclusion must be based on a case-by-case examination. View the court’s ruling here.

Right to GDPR compensations: The CJEU has recently published a number of rulings related to data subject rights. In one case, Österreichische Post collected information on the political affinities of the Austrian population, using an algorithm. Following lawsuits for compensation from upset citizens who did not consent to that, the Austrian supreme court asked the CJEU whether mere infringement of the GDPR is sufficient to confer that right and whether compensation is possible only if the non-material damage suffered reaches a certain degree of severity. It also asked what are the EU-law requirements for the determination of the amount of damages. 

The EU top court responds that mere infringement of the GDPR does not give rise to a right to compensation. However, there is no requirement for the non-material damage suffered to reach a certain threshold of severity. The court notes that the GDPR does not contain any rules governing the assessment of damages. It is therefore for the legal system of each Member State to prescribe the detailed rules. 

“Copy” of personal data definition: The CJEU also ruled that the right to obtain a ‘copy’ of personal data means that the data subject must be given a faithful and intelligible reproduction of all those data. The Court notes that the term ‘copy’ does not relate to a document as such, but to the personal data which it contains and which must be complete. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain those data. 

The case relates to the CRIF in Austia, (a business consulting agency that provides, at the request of its clients, information on the creditworthiness of third parties). It sent the applicant in question a summary of his personal data undergoing processing. However, the individual had expected a copy of all of the documents containing his data, such as emails and database extracts. After the Austrian data protection authority rejected his complaint, the applicant went to court. 

CJEU opinions

Data controllers’ strict liability: A non-binding opinion by a CJEU Advocate General limits the strict liability of data controllers for GDPR fines: they may only be imposed on intentional or negligent conduct, (‘mens rea’). The referring court wanted to know whether the state agency could be fined on the simple basis that it breached the obligations imposed on it by virtue of being a controller, (strict liability), or whether an element of fault in committing the relevant breach is required. 

The case concerns the Lithuanian Public Health Centre in the design and deployment of a mobile application for tracking COVID-infected people. After funding for the project failed the state agency asked the app developers, (initially defined as joint controllers), not to use the LPHC details or any association with them in the mobile product. However it continued to be available for download by the public unaltered. To that end, the data protection authority decided to impose a fine on both entities in their capacity as joint controllers. 

The CJEU’s opinion confirmed that an entity which initiates the development of a mobile application can only be regarded as the ‘controller’. Furthermore, the absence of any agreement or even coordination between joint controllers cannot exclude a finding that the controllers are ‘joint controllers’.

Concept of lawful “data processing”: In the above case, the referring court also called for clarification as to whether the fact that the unlawful processing of personal data was not done by the controller itself but by a processor affects the ability of supervisory authorities to impose a fine on the controller.

The CJEU reasoned that a controller may be fined even though the unlawful processing is carried out by a processor. That possibility is open for so long as the processor acts on the controller’s behalf. However, if the processor uses personal data outside of, or contrary to, the lawful instructions of the controller, then the controller cannot be fined. 

The concept of ‘processing’ encompasses a situation in which personal data is used during the testing phase of a mobile application, unless such data has been anonymised in such a way that the data subject is not, or no longer, identifiable. 

Official guidance

Direct marketing: Effective direct marketing relies on you having a positive relationship with individuals you are marketing to and that is usually rooted in them having consented to you contacting them, states the latest guidance by the Guernsey data protection authority. The document answers the questions on how to obtain people’s consent in a lawful way, while being able to pursue commercial communication and inform people about what you are doing; explains lawful processing conditions under consent and legitimate interest; looks at the dangers of soft opt-in and automated calling systems and silent calls; and provides options for stopping direct marketing. See the full guidance (in English) here.

Client databases: The Latvian data protection agency also looks at client databases. Customer personal data permeates almost every aspect of business, from the delivery address of an order to the use of customer data to creating a company’s marketing campaign. Whether you only store a customer’s first name, last name and email address, or a personal identification number and bank details, you need to make sure that customer information is kept as correct and as secure as possible. The main principles to be followed are:

• Determine the purpose for which the database is being created  (eg, administration of fees, sending news, ensuring access).
• Evaluate and decide exactly what personal data is required from the client, and don’t collect or store personal data just because you think it might come in handy someday, (eg, if you plan to send information only to e-mail, you do not need to ask the customer for a phone number).
• The information included in the customer database must also be accurate and must be updated as necessary, (eg, inaccurate data may allow the service to be used by a person who has not paid for it).
• The necessary technical and organisational requirements must be implemented, (eg, limit personnel who can access customer information, maintain employee training, and if you transfer personal data, ensure that it is encrypted).

Enforcement decisions

Concept of warning and expansion of investigation periods: Spain has modified its law on the protection of personal data and clarified that a warning should not be considered a sanction, but rather an appropriate measure, of a non-punitive nature, included within the corrective powers of the supervisory authorities. Additionally, the increase and greater complexity, (including a one-stop-shop mechanism), of the issues addressed by the data protection agency in the sanctioning procedures show the need to extend some of the resolution deadlines. In particular, for this reason, the modification contemplates an increase from nine to twelve months in the maximum duration of disciplinary procedures, and from twelve to eighteen months in previous investigation actions.

TikTok fine: The UK Information Commissioner’s Office has issued a 12,7 million pound fine to TikTok Information Technologies UK Limited and TikTok Inc, for a number of breaches of data protection law, including failing to use children’s personal data lawfully. Whilst TikTok purports to rely on, in part, a contractual necessity as its lawful basis for processing the personal data of children under 13, the Commissioner considers that the legal test for contractual necessity is not met in this case. In addition, TikTok failed to make reasonable efforts to ensure that consent was given or authorised for underage child users of its video-sharing platform or to prevent children under 13 from accessing its services. Read the full list of TikTok’s infringements in the original decision.

Information obligation: The Romanian data protection agency fined Libra Internet Bank for not fulfilling its data subject rights obligation. It was found that a response sent to a plaintiff by e-mail did not contain information about the possibility of filing a complaint before a supervisory authority and introducing a judicial appeal for the bank’s refusal to communicate a copy of a requested video recording, thus violating the provisions of Art. 12 in conjunction with Art. 15 of the GDPR. On the same occasion, the regulator noted that the data controller did not present evidence to show that it had adopted measures to facilitate the exercise of the right of access.

Grocery data: The Norwegian data protection authority has taken a decision to ban Statistics Norway’s planned collection of data from the population’s grocery purchases. Through bank data and bank transaction data, Statistics Norway would have information on what a significant proportion of the population buys for groceries. This in turn could be linked to socio-economic data such as household type, income and level of education. No sufficient legal basis for such intrusive processing of personal data exists. Even if the purpose of the collection is anonymous statistics for societal benefit, the intervention in the individual’s privacy will have already occurred once the personal information was collected, (from private actors). Finally, citizens have no real opportunity to oppose such a collection, other than by using cash as a means of payment.

Debt collection data: Croatia’s privacy regulator issued an administrative fine of over 2 million euros on the debt collection agency. The data controller didn’t inform its data subjects, in an accurate and clear manner, about the processing of their personal data. In addition, it did not conclude a data processing agreement with the service of monitoring consumer bankruptcy. The debt collecting agency also did not apply appropriate technical and organisational measures while processing quite sensitive personal data, so it would probably never have noticed a data breach. 

Data security

Encryption pros and cons: The Spanish data protection agency has published a guide for the supervision of cryptographic systems as a security measure in data protection. Encryption is a procedure by which information is transformed into an apparently unintelligible data set using various techniques. The GDPR mentions it as a measure that is part of the conditions for the compliance of the treatment and as an aid to mitigate the risks in the event of a possible breach of personal data. However, if not well designed it can give a  false sense of security, that relaxes the application of other complementary measures, in particular, privacy by design. The document also proposes a list of controls to facilitate the data protection specialist in selecting those that could be the most appropriate in validating the encryption system. Read the full guide, (in Spanish), here.  

Password hurdle: Reportedly, the average internet user has between 70 and 80 passwords for a wide variety of services, explains the Slovenian data protection agency base on recent research. Considering that a strong password is (at least) 12 characters long, complex and of course unique, it is extremely difficult to remember them all. 

Password managers also offer effective management and safe storage of passwords. In this case, it is important to have a very strong master password, which is also the only one we need to remember. Two-factor authentication solves two of the most common problems: short, weak, and repeated passwords are no longer so problematic since access to the service requires an additional unique code that is obtained over the phone. 

Finally, most information security experts do not recommend saving passwords in browsers. The reason is primarily the rapid spread of Trojan horses that specialize in stealing user data. Nothing helps if we have long and unique passwords, because the virus simply copies them and sends them to attackers.

International data transfers

US data transfers: The European Parliament has rejected the draft US adequacy decision during the plenary vote. However the resolution is not binding, MEPs concluded that the EU-US Data Privacy Framework fails to create essential equivalence on the level of protection, and calls on the Commission to continue negotiations with its US counterparts to provide the adequate level of protection required by Union data protection law as interpreted by the CJEU. MEPs call on the Commission not to adopt the adequacy finding until all the recommendations – on safeguards against American intelligence activities, and practical deployment of the redress mechanism for individuals are fully implemented. 

To that end, a parliamentary group from the Civil Liberties Committee visits the US capital this week to meet with members of the House of Representatives and Senators working on privacy, and cybersecurity issues, including sponsors of different federal privacy acts – the Federal Trade Commission, US Courts administration, Department of State, the Data Protection Review Court, the Office of the Director of National Intelligence, NGOs, and think-tanks. 

UK privacy reform: According to govinfosecurity.com, the Information Commissioner gave assurances to UK lawmakers considering changes to the country’s national privacy legislation that they won’t jeopardize the adequacy decision made with the EU in 2021. The Data Protection and Digital Information Bill was once again proposed this spring by the Conservative government as an alternative to the GDPR that is more pro-innovation and less bureaucratic. External observers, however, are less certain, citing rulings by the ECHR that British mass intelligence collecting infringed private communications. 

Supporting documents assessing the impact of the Data Protection and Digital Information Bill can be seen here.

The post Data protection & privacy digest 3 – 16 May 2023: data processing roles and obligations elaborated by EU top court appeared first on TechGDPR.