How has GDPR been implemented by small and medium-sized companies? Does TikTok respect the protection of personal data of children who use it? Companies can use contact tracing to prevent the spread of coronavirus? These answers and more, below…
Data Protection at Authorities
Autorité de protection des données – Belgium
In partnership with the University of Brussels, the authority organized meetings with organizations in the sector in order to identify the level of knowledge and the current challenges of small and medium-sized companies in relation to the GDPR. The report revealed that the main challenges are: (i) collaboration with third parties, as a subcontractor; (ii) lack of financial resources to implement measures and the ability to obtain sufficient information; (iii) lack of knowledge about the rights of data subjects and (iv) discouragement caused by lengthy administrative processes.
Commission for Personal Data Protection – Bulgaria
On June 24, the European Commission published a report evaluating the implementation of the regulation and recognized that most of the objectives were achieved, providing a strong set of rights applicable to citizens and the creation of a new European governance system. In addition, it concluded that harmonization between Member States is increasing and that companies are developing a culture of compliance and are increasingly using data protection as a competitive advantage.
Commissioner for Personal Data Protection – Cyprus
The authority explained that, although access to health data, medical records and other information is necessary to provide adequate treatment, access to all patient health data is a violation of the protection of personal data, as stated in the GESY system. The authority advises that the system changes its architectural structure, in order to allow the entry of health professionals to partially access patient data, viewing only the information necessary for the ongoing processing.
Office for Personal Data Protection – Czech Republic
The authority’s president, Ivana Janú, spoke at a public hearing in the Senate and emphasized the need to clarify the conditions under which restrictions or prohibitions occur. She also pointed out that the authority’s role has not been respected, since projects such as Smart Quarentine 2.0 were not consulted and, mainly, the impact report on the protection of personal data was not completed, opening the possibility for the misuse of personal data. Finally, the president recalls that it is important that data be anonymized, as this is the only processing allowed by legislation for this type of application (contact tracing).
Datatilsynet – Dinamarca
The authority states that since 2013, the southern region of Denmark has used a network unit for temporary storage of documents. It was found that the network unit was not protected with adequate access control, and approximately 30,000 employees had access to all documents stored on the unit, with common, confidential and personal data from specific categories, including information about vulnerable children or groups. The authority determined that the data subjects were informed of the breach and severely criticized the storage system used.
The EDPB has published a summary of the decisions in cases dealt with under the so-called “one-stop shop” or cases that concern cross-border data processing. The record is on the Data Protection Board website.
The municipality was fined DKK 50,000 for failing to fulfill its obligation as a data controller and failing to implement adequate security measures. The case in question showed that the municipality of Lejre has a practice of uploading minutes of meetings with sensitive personal data, including children’s data, on the municipal employees’ portal. On the portal, there was the possibility of access to information for most of the municipality’s employees, regardless of the employee’s involvement with the case.
In the lawsuit opened on June 30, the authority intends to find out whether the service offered by TikTok complies with data protection rules. Supervisor Cristina Angela Gulisano stated that “TikTok is very popular with children in particular who, according to GDPR, are entitled to special protection of their information. So we are now looking into the extent of processing personal data in the app and what is the legal basis for processing. In addition, we are investigating various aspects of TikTok security.”.
European Data Protection Supervisor – EDPS
The strategy focuses on three pillars: forecast, action and solidarity. The authority reinforces that it will work continuously to defend and preserve human rights and that, in recent years, it has been possible to observe the fragility of the rule of law and other fundamental values of democratic institutions. In the strategy, the authority still talks about the impact of the pandemic on the formulation of the action plan, since the health crisis has raised the importance of the digital economy, as well as the need for effective guarantees regarding the protection of personal data.
The document emphasizes that, when public administrations maintain contractual relationships with ICT service providers, the terms of these contracts should reinforce the control of data protection authorities over how and why personal data is processed. The authority further recommends that the roles and responsibilities of data processors and subprocessors be clearly defined and monitored, in order to minimize risks to the privacy of individuals.
The authority says that impact assessments are one of the new and most valuable accountability tools that institutions can use when processing sensitive personal data and to measure the impact and risks for individuals. The report has a question and answer scheme drawn from the answers provided in the survey initiated by EPDS in February 2020.
CNIL – France
The software provided by the authority allows searching for keywords in the impact report carried out, the possibility of archiving analyzes, the creation of new versions of the impact assessment, the possibility of categorizing analyzes and the fine management of the percentage of progress of the analyze. The tool is available in 20 languages, including Portuguese and English.
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit – Germany
The authority concluded that anonymization is fundamentally possible with an appropriate legal basis, including the telecommunications sector. The document recalls the importance for research projects and business models of anonymous data set analysis. It also points to the importance of the obligation to delete data immediately after use, with a strict standard to be applied.
Data Protection Commission – Ireland
The authority published a response to the protocol created jointly by the business department and the health department. The authority states that: (i) the data used for contact tracing, must not be used for any other purpose; (ii) forms must collect the minimum possible information necessary to achieve the objective and must not be used for any other purpose; (iii) the temperature measurement must respect the principles of proportionality and necessity, based on recommendations from the health department; (iv) there must be a legal basis for the processing of any personal data of employees.
Garante per la Protezione dei Dati Personali – Italy
For the question “Can applications with contact tracking functions be used in companies?” and “To reduce the risk of contagion in the workplace, are there applications that do not process personal data?”, the authority replies that the use of contact tracing applications is possible, respecting art. 6 of the GDPR. And the employer can resort to using applications that do not involve processing personal data. It uses the example of applications that count the number of people entering and leaving a location without, however, identifying them.
Autoriteit Persoonsgegevens – Netherlands
In the published report, it is possible to note that the authority has focused more on the implementation of the legislation itself, since in 2018 the emphasis was on establishing guidelines and information about the GDPR. At the end of the leniency period, the authority imposed 4 fines, with a total value of 2.5 million euros. The violations involved access to medical records, sale of member data, biometrics and the right of access.
The authority fined the company EUR 830,000 after receiving complaints about the limits set by the company for viewing personal data by the holders themselves. According to the president of the authority, Aleid Wolfsen, “access to personal data on credit records is very important. A negative credit record can have consequences for obtaining a loan or mortgage. Therefore, it is important to be able to check quickly and easily. what personal data is processed about you and whether it was done properly “.
Datainspektionen – Sweden
After denouncing how ABB handles personal data from job seekers, the authority began auditing the company. The authority now asks ABB a series of questions to find out, among other things, in which countries personal data of the type mentioned in the complaint are processed in connection with recruitment and in which country the decision was made to treat personal data in this way.
Data Protection at Univesities
In the article, the author uses the questioning of the safe use of the application developed by the United Kingdom, under the direction of NHS X and with the help of the private sector, to carry out digital contact tracking, to simultaneously face one of the most relevant problems for the problem of state surveillance: the digital footprint resulting from the use of technologies and which is the basis of “Surveillance Capitalism”.
The article analyzes recent changes in European Union countries in the field of protecting citizens’ fundamental rights and freedoms in the processing of personal data by law enforcement authorities. The article also provides examples of law enforcement models in European countries about the circulation of personal information between authorities, drawing attention to the principles established for the treatment, such as legality, justice and transparency, in addition to minimizing the use of data, restrictions storage, integrity and confidentiality.
Data Protection in the Brazilian Legislative
On June 30, Bill No. 2630/2020 was approved, presented by Senator Alessandro Vieira of CIDADANIA partie, which institutes the Brazilian Law on Freedom, Responsibility and Transparency on the Internet. The Substitute presented by Senator Angelo Coronel was approved, except for the highlights. The Bill was sent to the Chamber of Deputies and is awaiting a vote in the House.
On July 3, it was presented by Dep. Fed. Nereu Crispim of PSL, PL 3627/2020 that changes the Marco Civil da Internet to create mechanisms for verifying the identity of active profiles in internet applications that act as social networks and police occurrence registration platform in the event of crimes against honor committed or disclosed on social networks. The Bill is in the plenary of the Chamber of Deputies.
Presented on June 30, by Dep. Fed. Luiz Philippe de Orleans and Bragança of PSL, PL 3573/2020 alters the Marco Civil da Internet to restrict the cases in which the withdrawal of content by internet applications is allowed, establishing that only content generated by a third party may be removed by court order or with an express indication of the crime that is being committed through the disclosure of the removed content. The PL is at the Board of Directors of the Chamber of Deputies.
Data Protection in the Brazilian Judiciary
On June 25, a monocratic decision was published in which Minister Gilmar Mendes did not grant a request for a precautionary measure to end data sharing between the Brazilian Intelligence Agency and the National Traffic Department, on the grounds that the request had no purpose, since the administrative contract entered into with SERPRO that would make sharing possible, had not yet been concluded, so the sharing did not exist until now. The Minister summoned the General Counsel of the Union and the attorney General of the Republic so that, within ten days, they could speak out about the object of the ADPF (sharing of citizens’ data between ABIN and DENATRAN).