Relevant privacy headlines

EDPB publishes opinion on EU Commission’s draft adequacy decision

On 13 December 2022, the EU Commission published a draft adequacy decision including annexes constituting a new framework for transatlantic exchanges of personal data, EU-U. S Data Privacy Framework (“DPF”). The European Data Protection Board (EDPB) has now assessed the adequacy of the level of protection afforded in the USA, on the basis of the examination of the draft decision. In the assessment, the EDPB welcomed some improvements and amplifications presented in the draft decision, but noted several areas in need of further clarification. In particular, the EDPB notes that e.g. issues of concern regarding data subject rights previously raised by the WP29 and the EDPB in relation to the Privacy Shield principles remain valid. The next step in the implementation process is an assessment by the the Article 93 Committee. Thereafter, the European commission may decide to adopt the US adequacy decision. If adopted, EU entities may rely on the decision for transatlantic personal data transfers to the US. The organization NOYB has already announced that they will challenge a new US adequacy decision on the basis that it does not meet the requirements to provide an adequate level of protection. EDPB’s opinion on the draft adequacy decision is available here.  

Norwegian DPA imposes an administrative fine due to several cases of Insufficient fulfilment of data subjects’ rights

A Norwegian fitness company received an administrative fine of NOK 10 000 000 (approximately EUR 900 000) issued by the Norwegian DPA (Datatilsynet) for, among other things, failure to take action and respond in a timely manner to data subjects exercising the right to access and erasure of their personal data. In addition, the DPA found that the company had not provided sufficient information to data subjects about its data retention policy as well as lacking a valid lawful basis in order to process their customers’ personal data. The Norwegian DPA’s decision is available here. 

Irish DPA imposes a reprimand and an administrative fine due to non-compliance with general data processing principles

The Irish DPA (Data Protection Commission) issued an administrative fine of EUR 460 000 against a healthcare company due to a failure to implement adequate technical and organizational measures to protect personal data in case of a breach. The company suffered a ransomware attack which caused personal data such as name, date of birth and contract details to be accessed, altered, and destroyed without authorization. Data records of approximately 70 000 data subjects were affected, of which 2 500 data records were permanently affected. The Irish DPA’s decision is available here.  

Report from Swedish DPA points to deficiencies in organizations required to have data protection officers

On January 27, the Swedish DPA, (Integritetsskyddsmyndigheten), published the report “Data protection in practice” which is based on a survey answered by data protection officers in over 800 organizations. The report revealed that only 4 in 10 data protection officers believe that their own organization works continually and systematically with data protection issues. Half of the data protection officers feel that they can explain the importance of data protection issues to management and as many feel they are not involved in a timely manner. IMY’s report is available here (Swedish).

EDPB adopts final guidelines on the interplay between the application of Article 3 and the provisions on third country transfers 

The EDPB has now adopted a final version of the guidelines clarifying the concept of a third country transfer of personal data. The guidelines clarify the interplay between article 3 of the GDPR which sets forth the territorial scope of application of the GDPR and the provisions in chapter V regarding third country transfer of personal data. The criteria to be fulfilled in order for a third country transfer of personal data to take place are the following: 

1) A controller or a processor (“exporter”) is subject to the GDPR for the given processing. 

2) The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”). 

3) The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organization.

Among other things, this means that where personal data is accessed by an employee of a controller within the EU during a business trip in a third country, there is no transfer of personal data under chapter V of the GDPR since the employee is not another controller or processor. In this context, it is however important to recall that the controller must nevertheless comply with the other provisions of the GDPR and remains fully accountable for its processing activities, regardless of where they take place. 

Questions?

The Deloitte Privacy Team has extensive experience in the privacy field and regularly advices on data protection and information security matters. You are very welcome to contact us if you need our help or if you have any questions.