International Data Protection Enforcement Bulletin …/media/pdfs/news/international...International Data Protection Enforcement Bulletin – April 2016 Enforcement tables by country

International Data Protection Enforcement Bulletin – April 2016

Enforcement tables by country .................... 9

Australia ...................................................... 9

Belgium ....................................................... 11

China ........................................................... 12

Czech Republic ............................................ 13

Denmark ..................................................... 14

Finland ........................................................ 15

France ......................................................... 16

Germany ..................................................... 24

Hong Kong .................................................. 25

Hungary ...................................................... 27

Italy ............................................................. 29

The Netherlands .......................................... 33

Poland ......................................................... 37

Spain .......................................................... 38

Sweden ....................................................... 40

Switzerland ................................................ 44

United Kingdom .......................................... 45

Data Protection News

Asia-Pacific

Updates on Selected Privacy Regimes in the Asia-Pacific Region

Chia Ling Koh, Partner, Dharma Sadasivan, Associate & Shaun Oon, Trainee, Bird&Bird, Singapore office

A number of privacy regimes in the Asia-Pacific region ("Asia-Pac") have updated or clarified their positions over the past year. In this article, we take a look at updates to Singapore's data protection regime, as well as the Philippines, South Korea, Malaysia, Japan, Indonesia and China.

Singapore

The Personal Data Protection Commission ("PDPC") issued a clarification in its monthly newsletter "DPO Connect" that an organisation responding to an access request from an individual must include personal data under its control, even if the personal data is not in the organisation's possession. In other words, the organisation must provide the individual with access to his or her personal data that the organisation's data intermediaries are processing on behalf of the organisation in addition to the personal data that the organisation itself possesses. This update is not legally binding and is merely guidance from the PDPC in its newsletter. However, it is indicative of the PDPC's attitude towards the standard of compliance required to respond to access requests from individuals.

The PDPC also clarified through DPO Connect that generally, an organisation may disclose anonymised personal data without obtaining consent, as the PDPA does not cover anonymised data. However, the organisation must consider the risks of

re-identification by the recipient organisation. Re-identification renders the anonymised data personal data again, and the PDPA will again apply. The PDPC stated that if the risk of re-identification is high, the data will be considered personal data, and if the risk of re-identification is trivial, the PDPC will consider the data anonymised. The PDPC also highlighted the following considerations as relevant:

the nature or the type of personal data that has been "de-identified"(sic); the degree or standard of the anonymisation process;

the complementary data available; and

the capability and motivation of the receiving organisation in re-identifying individuals from the disclosed dataset.

However, it remains unclear to what extent or standard the disclosing organisation must take steps to assess the risk of re-identification by the recipient organisation, how rigorously the disclosing organisation must assess the receiving organisation's available complementary data, and how the disclosing organisation is supposed to determine and assess the receiving organisation's capability or motivation in re-identifying individuals.

Philippines

The President of the Philippines issued an executive order for the creation of the National Cybersecurity Inter-Agency Committee ("Committee") on 17 September 2015. The members of the Committee include the Chairman of the National Privacy Commission ("NPC") – the regulatory body tasked with overseeing compliance with the Philippines Data Privacy Act of 2012 ("DPA") – suggesting that the NPC has been formed and the Chairman has been appointed.

Various news sources have reported that the NPC has indeed been formed, and that it comprises a Commissioner and two Deputy Commissioners, as stipulated under the DPA. However, no verification of this is reflected on the government websites of the Philippines as yet. Under the DPA, the NPC is required to "promulgate the rules and regulations to effectively implement the provisions of [the DPA]." It is unclear whether the provisions of the DPA can be implemented prior to the promulgation of such rules and regulations, which gives rise to uncertainty about how the DPA will be enforced.

There are a wide range of offences under the DPA which attract severe penalties, including fines, imprisonment, and deportation. Maximum penalties are prescribed for offences "where the personal information of at least one hundred (100) persons is harmed, affected or involved as a result of the [offence]." As such, enforcement remains a concern for multi-nationals which handle large volumes of personal data.

South Korea

There have been a number of updates to South Korea's Personal Information Protection Act ("PIPA") in the past year.

In March 2015, the Korean National Assembly passed the Act on the Development of Cloud Computing and Protection of Users, which came into force on 28 September 2015. The Act imposes certain breach notification obligations, prohibits disclosures of personal information to third parties and the use of personal information for fresh purposes without the individual's consent, and requires organisations to return or destroy personal information exchanged between parties upon the termination of the parties' contract.

In July 2015, the Korean National Assembly passed an Amendment Bill to the PIPA that combines multiple major provisions from previous bills. Among other things, the amended PIPA will now include punitive and statutory damages for data breaches. However, the effective date for the amendments has yet to be set.

In August 2015, the Korean Communications Commission published a guide for mobile applications in South Korea. In particular, the guide provides advice on how to obtain consent for the collection and use of personal information through mobile apps, app stores, and smartphone operating systems.

Malaysia

Malaysia's Personal Data Protection Commissioner issued the Personal Data Protection Standard 2015 (the "Standard"), which came into force on 23 December 2015. The Standard sets out the minimum standards of security, retention and data integrity required for compliance with the Personal Data Protection Regulations 2013 – subsidiary legislation to the Malaysian Personal Data Protection Act 2013.

At present, the Standard is only available in Bahasa Melayu. An English translation is to be released in due course.

Japan

Japan's Act on the Protection of Personal Information ("APPI") was enacted in 2003, went into effect in 2005, and was left unchanged until late last year when it received substantial updates that promulgated on 09 September 2015 (the "Amendments").

Among other things:

the Amendments have added two new categories of information – "sensitive information" which attracts stronger regulation, and "anonymised information" which permits weaker regulation;

the Amendments created Japan's newly formed independent privacy regulator, the Privacy Protection Commission (the "PPC");

where previously all consent needed to be opt-in (i.e. the individual was required to provide express consent), the Amendments now permit organisations to adopt an opt-out approach to consent under particular circumstances. If a company chooses to adopt an opt-out approach, it must notify the PPC. The PPC will publicly disclose this notification; and

the APPI previously had a de minimis exemption for businesses holding the personal data of less than 5000 individuals in the preceding 6 months. The Amendments have removed this exemption.

Indonesia

Indonesia has recently published a draft of its first comprehensive data protection law - the "Draft Regulation of the Minister of Communication and Information of the Protection of Personal Data in Electronic Systems" (the "Draft Regulation").

Notably, "personal data" is defined under the Draft Regulation as information which is true and actual, amongst other things. In this way, it differs substantially from its definition under the PDPA, which expressly states that data "whether true or not" can comprise personal data.

It is unclear how correction obligations under the Draft Regulation are to be treated. If untrue data does not constitute "personal data" then it would, by definition, be impossible to correct personal data, which must be true to begin with.

China

In July 2015, China's National People's Congress released the "Cyber Security Law of the People’s Republic of China (Draft)" (the "CSL Draft") for public feedback. Amongst other things, the CSL Draft looks to tighten China's cyber-security regime by regulating data storage.

Under the CSL Draft, "important" or "critical" information, which includes personal data, must be stored exclusively within China. If such data needs to be stored outside of China, the entity wishing to transfer the data out of China will need to complete a security evaluation.

At present, it is unclear what would constitute "important" or "critical" information, or what form the security evaluation would take and how onerous it would be. However, it appears that the CSL Draft in its current form would have a strong disruptive effect on the operations of multinationals with centralised services, and businesses in the tech space – particularly in relation to the burgeoning cloud services industry.

Hungary

The Hungarian Data Protection Authority Issues a New Recommendation on Information Requirements

Zoltán Tarján, Senior Associate, Bird&Bird, Budapest office

The National Data Protection and Freedom of Information Authority (the Authority) recently published its recommendation on information requirements (the Recommendation). According to the Authority's experience, most data controllers are aware of their obligation to prepare data processing information documents. However, these documents often do not comply with certain fundamental constitutional requirements, and individuals are therefore not always fully informed about the effects of data processing on their privacy. In order to help develop good practice, the Recommendation sets out detailed guidelines regarding requirements that should be taken into consideration when preparing data processing information documents.

The Authority strongly recommends that data controllers should review their data processing information documents in line with the Recommendation, and implement changes where necessary. In addition, the Recommendation advises that information documents should be reviewed and updated annually, as certain data processing circumstances and applicable laws may change.

Legal background

According to Article 20 (2) of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (the Privacy Act), data controllers should inform individuals in advance, in a clear and detailed manner, about all facts concerning the processing of their data. This provision of the Privacy Act sets out the required content of information documents (legal basis, purpose, duration of the data processing), but the list is not exhaustive. The Recommendation points out that other provisions of the Privacy Act should also be taken into account when preparing information documents. For instance, Article 15 (1) of the Privacy Act,

which specifies what information should be provided to individuals in response to an information request, must be taken into account. In the Authority's opinion, the information supplied to individuals in advance of any data processing must include all the details specified in this Article, such as the scope of the data processed, the source of the data, the name and address of the data processor, and its activity in relation to the data processing. Further, Article 11 (2) of the Privacy Act must also be taken into account. This imposes an additional obligation to supply information in relation to decision-making based on automated data processing.

In which form should the information be provided?

Pursuant to the Recommendation, the required information may be provided in writing and in any other form, including verbally. However, it is important to note that the burden of proof is on the data controller to show that the relevant information was provided. Therefore, the general rule is that information should be provided in writing. The Authority notes that a template information document cannot be issued since the specific circumstances of the data processing must be taken into account in each case.

According to the Authority's position, and in line with the principle of fair data processing defined in Article 4 of the Privacy Act, the information to be supplied to individuals must be clear, readily accessible and easily readable. The Recommendation emphasises that data controllers will not properly discharge their obligation to provide information about their data processing by simply citing certain provisions of the Privacy Act. Information documents should use short sentences and phrases used in everyday life when describing data processing arrangements. It is recommended that information should be supplied using examples. There is also a recommendation that structure, numbering and bullet points should be used to enhance clarity. Finally, it is a requirement that the information document should be available prior to the commencement of the data processing and, if possible, before each important data processing action. Furthermore, according to the Recommendation, the information document should be always available on the front page of the data controller's website. Where standard contractual clauses are in use, this should be referred to separately in the text.

What should be the scope of the information?

Data controller: The data controller's contact details, such as address, e-mail address, website and phone number must be given. In case of multiple data controllers and data transfer, each data controller should be named.

Purpose of data processing: Importantly, information about the purposes of data processing must be concrete, precise and clear. For instance, according to the Authority, it is not sufficient to simply say that data are processed for marketing purposes, as various forms of marketing may be in use. If this is so, the purpose should be described more precisely, for example by referring to "sending direct marketing messages via email". In cases involving more complicated data processing (for instance where there are multiple data processing purposes), the purpose of the data processing must be specified by reference to the scope of data processed. It is essential that individuals should be informed about the real purposes for which their data will be processed.

Legal basis of data processing: Where data processing is based on consent or based on laws, the nature of the legal basis should be briefly described, and the provisions of any relevant laws should be indicated. Where legal bases for data processing as provided for in the Privacy Act are relied on (performance of legal obligation, legitimate interest), a short description should also be provided. It is important that where data are processed for the purpose of pursuing a legitimate interest, data controllers should complete the necessary balancing test and inform the individuals concerned about the results of this test.

The scope of data processed: Categories of personal data that are to be processed must be listed precisely. The use of general terms (such as personal identification data, contact details) is not sufficient. In cases involving complex data processing (for example where data are processed for multiple purposes), the scope of data processed should be described by reference to the purposes for which the data will be processed.

Duration of data processing: Information regarding the duration of data processing must be provided by reference to the purpose of data processing and the scope of data processed. If any other laws contain provisions relating to the duration of data processing, then this should be indicated in the information document.

Data processor: The name and contact details including address, e-mail, website and phone number of the data processor must be provided. It is not sufficient to indicate that the data controller subcontracts to a data processor. Furthermore, the Authority requires that the information document should describe precisely what activities the data processor is pursuing, as well as what personal data it processes and the length of time for which the data processor may have access to it.

Persons entitled to have access to data: It is necessary to provide information about who has access and under what conditions access to the data may occur. Persons and organisations entitled to access personal data must be specified according to job positions and departments, and it is also necessary to provide details of the data processing activities pursued by them.

Data security measures: The essence of the main data security measures must be briefly and clearly described. It is not sufficient to cite Article 7 of Privacy Act in the information document.

Data processing according to Article 6 (5) of the Privacy Act: Information on data processing under Article 6 (5) of the Privacy Act must be provided separately (i.e. where personal data is collected with the consent of the individual, the personal data may be processed without any further consent, or after the withdrawal of the consent to perform a legal obligation, or for the purposes of legitimate interest pursued by the data controller or by a third party). In this respect, the Recommendation refers to Opinion 6/2014 of the Article 29 Data Protection Working Party, according to which in case of data processing for the purposes of legitimate interest, data controllers must apply the necessary balancing test and individuals must be informed about the result of the test.

Rights and remedies of individuals: Individuals must be informed in detail about their rights (right to access; rectification, erasure, blocking of personal data; right to object). Such information should explain the manner in which and the time within which individuals can exercise their rights. Furthermore, the scope of each right should also be described (e.g. using examples). In respect of remedies, individuals must be informed about their rights to initiate proceedings before the Authority and to refer to the court. The Authority's official e-mail, postal address, phone number and website must be included in the information document. In relation to the availability of a judicial remedy, the information should explain that

an affected individual may file a lawsuit before the court in the place of his residence.

How might insufficient information affect the lawfulness of the data processing?

Where data processing is based on the individual's consent, the provision of insufficient information results in one of the essential conditions of the consent not being fulfilled, i.e. consent will not be informed. In cases where data processing takes place on the basis of a legal provision law, it is necessary to indicate precisely and in detail the relevant provisions of the law that are applicable. Where data processing is based on the controller's legitimate interests, there is an obligation to apply the necessary balancing test and providing information about this balancing exercise to the individuals concerned.

In light of the above, the Authority's view is that the prior supply to individuals of appropriate information relating to the processing of their data is of great importance to the overall lawfulness of the entire data processing procedure. It is therefore recommended that adequate time and energy should be allocated to the preparation of data processing information documentation, and to their periodic review and revision where necessary.

Italy

Draft of a New Simplified Legal Framework on Sanctions

Debora Stella, Associate, Bird&Bird, Milan office

On 26 November 2015, the Italian Data Protection Authority (i.e. the Garante) sent a formal letter to the Italian Justice Minister aimed at proposing legislative amendments to the current legal framework of sanctions provided under the Italian Data Protection Code (i.e. legislative decree no. 196/2003, “Italian DP Code”). Among the most relevant proposed changes are the following:

Reduced fines for SMEs: The proposed change is intended to introduce a reduction in the amount of fines that can be issued, i.e. 2/5 of the minimum of the possible amount dictated by the Italian DP Code) to organisations which have fewer than 15 employees, provided that the fine is paid within 30 days.

Criminal liability: The proposed change is designed to ensure that the prosecution of offences for unlawful processing of personal data (in those circumstances listed under the Italian DP Code) is dependent on a formal accusation made by a victim (and not started autonomously by the public prosecution office, as is currently the case).

Additionally, the proposed changes include the limiting of the circumstances in which a breach of the law may occur: a criminal offence would only occur in case of a failure to implement those security measures required by the Italian DP Code, where a data loss/modification or an unauthorised disclosure or dissemination of personal data occurs (and not for the basic lack of the required security measures).

Security measures: The Authority has suggested updating security measures by providing different solutions on the basis of specific risks to individuals’ rights and on the economic capacity of an organisation (with particular attention accorded to SMEs and craftsmen).

Repeated breaches: The proposed change introduces more severe sanctions in case of repeated infringements of the same rule by the same organisation during a period of 12 months. Fines will be doubled where the offence is repeated up to 3 times and quadrupled where offences are repeated more than 3 times within a year.

9

Enforcement tables by country

Australia

Date Infringing entity Details of infringement Sanction(s) imposed

17 December 2015

AMP Life Pty Ltd ("AMP")

AMP collected personal financial information from the complainant, including his tax file number (TFN). AMP disclosed this information to a third party.

At the time of collection, AMP did not notify the complainant that it had collected the information, nor did it notify the complainant of any proposed disclosure to a third party.

The complainant lodged a complaint with the Office of the Australian Information Commissioner (OAIC), alleging that AMP had interfered with his privacy by:

(a) collecting his personal information without his knowledge or authorisation in breach of National Privacy Principle (NPP) 1.5 (notification of the collection of personal information); and

(b) disclosing his personal information to a third party without his knowledge or authorisation in breach of NPP 4.1 (protection of information from misuse, loss, unauthorised access, modification or disclosure).

Because the alleged conduct occurred before March 2014, the OAIC considered the complaint under the NPPs. Australia now has a revised version of the NPPs called the Australian Privacy Principles (APPs), which came into effect in March 2014.

The OAIC investigated the matter and found that the breaches of NPP 1.5 and NPP 4.1 had both occurred, and ordered sanctions as set out in the column to the right.

Within 14 days from the date of the determination AMP was ordered to:

apologise in writing to the complainant; and

pay the complainant AUD 10,000 in compensatory damages for the loss caused by the interference with the complainant's privacy.

10

Full details of the case here: http://www.austlii.edu.au/au/cases/cth/AICmr/2015/81.html

18 December 2015

Freelancer International Pty Ltd ("Freelancer")

Freelancer is an online platform that connects employers and employees to engage in freelance work.

The complainant made an account with Freelancer (and accepted its terms and conditions) and began using the site. Soon thereafter, his account was frozen by Freelancer, which cited 'security reasons'. The complainant was then required to provide further information to un-freeze the account.

This occurred a number of times over the following few months and the freezing of the account prevented the complainant from accessing payments he had received for freelance work.

The complainant took issue with the amount of personal information collected by Freelancer (particularly when further information was sought to verify his identity). The complainant was particularly concerned with Freelancer's collection of his IP address information.

The matter became heated when the complainant took to social media and also edited the Freelancer Wikipedia page, which Freelancer alleged was 'vandalism'.

Freelancer removed the complainant's edits on the Wikipedia page, but in the edit section named the complainant as the 'vandal' who made the 'unauthorised edits', being a disclosure of the complainant's personal information. Freelancer also made references to the complainant in social media posts.

After the complainant lodged a complaint with the OAIC, it investigated and held that Freelancer:

did not take reasonable steps to make the complainant aware of the purposes of collection of the complainant's IP address information, in particular that it did not notify the complainant that it would be collecting his IP address (held in breach of NPP 1.3); and

To redress the matter Freelancer was required to:

within 6 weeks of the determination issue an apology to the complainant, acknowledging its interference with the complainant’s privacy;

undertake staff training in accordance with its information handling procedures;

no later than six months from the date of this determination confirm that staff training has been completed; and

pay the complainant $20,000 for non-economic loss caused by the interference with the complainant’s privacy, including $5,000 in aggravated damages for the additional hurt to the complainant caused by the manner in which the interference with his privacy was committed.

http://www.austlii.edu.au/au/cases/cth/AICmr/2015/81.html

11

made unauthorised disclosure of his personal information in respect of the Wikipedia page edits and some of the social media posts (in breach of NPP 2.1).

Freelancer's conduct occurred before March 2014 and was therefore decided under the NPPs, rather than the APPs.

Full details of the case here: http://www.austlii.edu.au/au/cases/cth/AICmr/2015/86.html

Belgium


9 November 2015

1) Facebook Inc.

2) Facebook Ireland Limited

3) Facebook Belgium SPRL

("Facebook")

The President of the Belgian Data Protection Authority commenced a judicial procedure against Facebook.

Facebook argued that it was subject to Irish data protection law only and that only Irish courts have jurisdiction in relation to its EU activities. However, referring to Google v Spain, the Court did not agree. The Court found that Belgian data protection law was applicable and that the Belgian courts had jurisdiction.

Facebook processes, amongst other things, the IP address and a “unique identifier” contained in Facebook’s datr cookie. The Court found that these are “personal data” and that Facebook's collection thereof constitutes a “processing” of personal data.

The Court found that the fact that Facebook collects data on the web-surfing behaviour of millions of Belgians who have decided not to become a member of Facebook’s social network is a “manifest” violation of Belgian data protection law, irrespective of Facebook's intended use of these data after having collected them.

The Court pointed out that Facebook cannot rely on any legal

The Dutch-speaking President of the Court of First Instance of Brussels ordered Facebook, in respect of every internet user in Belgian territory who has not registered as a member of the online social network of Facebook, to cease:

placing a datr cookie when they land on a web page of the facebook.com domain without providing them with prior sufficient and adequate information about the fact that Facebook places the datr cookie with them and about the way Facebook uses that datr cookie through social plug-ins; and

collecting the datr cookie through social plug-ins placed on third-party websites.

Facebook was sentenced to a penalty of EUR 250,000 per day that it does not comply with the order.

http://www.austlii.edu.au/au/cases/cth/AICmr/2015/86.html

12

justification for processing, via cookies and social plug-ins, personal data of people who do not have a Facebook account because:

Facebook has not obtained their consent to do so;

Facebook does not have in place any agreement with people who do not have a Facebook-account;

Facebook is under no legal obligation to process such data; and

any security interest pursued by Facebook is overridden by the fundamental right to privacy of people who do not have a Facebook account.

China


8 October 2015

Shaoxing Yi Xin Network Technology Service Co., Ltd ("Shaoxing ")

Mr/Ms. Dong, the complainant in the case, believed that certain internet posts made by other Shaoxing users had infringed his/her reputation rights and that Shaoxing should disclose the users' personal information and certain data to Mr/Ms. Dong.

The intermediate people's court of Shaoxing, Zhejiang issued a judgment noting that in not disclosing its users' personal information, Shaoxing did not infringe Mr/Ms. Dong's reputation rights.

2 November 2015

Mr/Ms. Feng

Mr/Ms. Feng, who was involved in providing customer service at a company in Hangzhou, acquired more than 9000 pieces of personal customer information by downloading and copying using accounts and an EPR system. Mr/Ms. Feng sold the information to others and illegally made RMB 458,000.

The people's court of Hangzhou Economic and Technological Development Zone, Zhejiang issued a judgement sentencing Mr/Ms. Feng to one year's fixed-term imprisonment and imposing a fine of RMB 10,000. The court also recovered illegal income of RMB 33,128 and a final portion of illegal income amounting to RMB 12,672.

10 March 2016 Media Company (the

The Company illegally obtained many pieces of personal consumer

The Deyang AIC in Sichuan issued an administrative penalty to the Company together with corrective

13

"Company") information and used the information for illegal purposes. instructions and a fine.

16 March 2016 Mr/Ms. Yang

Mr/Ms. Yang, employed as the manager of a bank, illegally downloaded more than 10,000 pieces of personal information and sold the information to third parties for between RMB 25 and 5o each. Mr/Ms. Yang had illegally made more than RMB 370,000.

The People's Court of Pudong New District, Shanghai issued a judgment sentencing Mr/Ms. Yang to six months' detention and imposing a fine of RMB 10,000. The court also recovered Mr/Ms. Yang's illegal income.

Czech Republic


November 2015

CreditPortal, a.s. ("CreditPortal")

CreditPortal, a Czech provider of short-term loans, was inspected on the basis of a complaint alleging that an email from the company's email address containing a payment reminder to three particular debtors had been sent automatically via Gmail to more than 88 recipients (customers of CreditPortal). The email contained the names, surnames, addresses, dates of birth of the three debtors as well as amounts outstanding to CreditPortal.

The DPA found that the email was generated and sent automatically and that its transmission was due to interference with the company's software. CreditPortal was using its own IT solution and had not issued any internal guidelines to govern data protection, in the course of developing, testing and implementing the software. The DPA concluded that the unlawful transmission occurred because CreditPortal had not adopted sufficient technical and organisational measures to prevent unlawful or accidental access to personal data.

The DPA imposed remedial measures, which were implemented by CreditPortal within the stipulated deadline, and a fine of CZK 30,000 (approx. EUR 1,110).

14

Denmark


19 October 2015

Lejre Municipality

As a result of an inspection , the DPA was critical of the following non-compliance at Lejre Municipality:

non-performance of the duty to give notification;

non-performance of random sample check of their log;

insufficient authorisation, cf. the Danish Executive Order on Security § 11; and

non-performance of an obligation to update and elaborate security rules, cf. the Danish Executive Order on Security.

The DPA required that Lejre Municipality update its security rules and that this should in future be done on an annual basis.

23 October 2015

Odsherred Municipality

The DPA found that Odsherred Municipality had failed to comply with § 41 and § 5 of the Danish Act on the Processing of Personal Data, by unknowingly transferring sensitive personal data from a citizen to third parties, by sending unencrypted e-mails containing sensitive personal data, by not recalling this personal information from third parties and by not requesting that this data be deleted.

The DPA requested that Odsherred Municipality report back within 4 weeks, with a statement outlining the actions the Municipality will put into practice in the future in order to ensure compliance with data protection rules.

2 February 2016

National Institute of Public Health

The National Institute of Public Health transfers data from the "Kids Health Database” 1-2 times a year. The personal data in the database is transferred to research projects and the data has, for the most part, been pseudo-anonymised before the transfer. The National Institute of Public Health were unaware that the transfer of pseudo-anonymised data required a permission of transfer from the DPA (Danish Act on the Processing of Personal Data § 10, section 3).

The National Institute of Public Health must investigate to establish who the data has been transferred to, and whether these recipients (as opposed to the National Institute of Public Health), have acquired the necessary permission from the DPA for the transfer.

15 February

Brønderslev

As a result of an inspection at Brønderslev Municipality, the DPA was critical of the following non-compliance at Brønderslev

The DPA requested that Brønderslev Municipality report back before February 2016 with a statement outlining the

15

2016 Municipality Municipality:

non-performance of the duty to give notification;

insufficient authorisation, cf. the Danish Executive Order on Security § 11; and

lack of control among the data controllers of the Municipality.

actions the Municipality will put into practice in the future in order to be in compliance with the data protection rules.

16 February 2016

Hjørring Municipality

As a result of an inspection at Hjørring Municipality, the DPA was critical of the following non-compliance at Lejre Municipality.

failure to carry out random sample checks of their log;

insufficient authorisation, cf. the Danish Executive Order on Security;

failure to update and elaborate security rules, cf. the Danish Executive Order on Security; and

failure to carry out an annual review of the security rules, cf. the Danish Executive Order on Security.

Brønderslev Municipality reported back to the DPA with a statement outlining that it will take the required actions in order to comply with the data protection rules. The DPA will take no further action.

Finland


N/A

Several banks

The Finnish Data Protection Ombudsman has inspected the actions of several banks in relation to the collection of customer data in February 2016. The aim of the inspection was to find out whether it is necessary for banks to collect data for the purposes of identifying customers and complying with other legal obligations. No other measures have yet been taken as regards these actions.

As a result, the Finnish financial supervisory authority has issued clarifying comments regarding the obligation of banks to collect

No sanctions imposed as yet.

16

customer data.

17 March 2016

CEO and Sales Manager of a company

The Turku Court of Appeal held that the CEO and a Sales Manager of a company had breached the Finnish Act on the Protection of Privacy in Employment as they had directed an employee's emails to their own mailboxes after the termination of the employee's employment relationship. The court stated that the CEO and the Sales Manager should have complied with the specific requirements of the Act on Privacy in Employment as regards searching and opening an employee's email messages.

The CEO was fined.

France


15 October 2015 (decision n°381223)

Mr. C…A…B… Ruling of the Council of State (Conseil d’Etat)

Mr. C…A…B… is a former employee of the company Celtipharm. Exercising his access rights in article 39-4° of the DP Act, he asked Celtipharm to send him documents containing personal data, including expenses reports established in his past role. After Celtipharm refused to send the documents, he referred to the CNIL, which issued a formal notice. Celtipharm thereafter sent the requested documents to Mr. C…A…B…, including a record of his expenses. However, it did not send any document justifying how the expenses reports had been compiled (e.g. restaurant or hotel bills). Despite this, the CNIL decided to close the complaint. Mr. C…A…B… asked the Council of State for an annulment of the CNIL’s deliberation on the basis of misuse of authority. According to Mr. C…A…B…, documents justifying how expense reports had been established should have been sent to him.

The Council of State ruled that article 39-4° of the French DP Act provides that a data controller only has to communicate personal data which relate to the data subject, together with all available information relating to the sources of such data. It considered that the provision does not establish a requirement that the documents held by the entity which established the data processing (in this case Celtipharm) be communicated. Rather, it held that article 39-4° only requires that the information be communicated. The Council of State consequently considered that the communication of expense reports without the documents justifying how these reports had been produced did satisfy the requirements of article 39. The Council of State therefore rejected Mr. C…A…B…’s request to reverse the CNIL’s deliberation.

17

5 November 2015 (CNIL decision n°2015- 379)

Optical Center

Optical Center is a company that distributes optical products through a network of stores and websites. The CNIL received a complaint from a client of Optical Center on the basis that their password had been communicated to them by phone, suggesting that the clients’ passwords were stored in the company’s database. The CNIL therefore decided to perform an onsite inspection, which revealed several breaches of the French DP Act, including (i) a failure to maintain the security and confidentiality of clients data (article 34), (ii) a failure to define and comply with appropriate periods of retention of personal data (article 6-5°).

As the inspection indicated the company was only partially compliant, in February 2015, the CNIL decided to perform a second onsite inspection. Given the difficulties that the CNIL faced in obtaining information relating to the extent of the company’s compliance, the company was then summoned to a hearing before the CNIL.

The CNIL issued a formal notice requiring Optical Center to implement, within a given timeframe, corrective measures to: comply with appropriate personal data retention

periods;

inform the individuals concerned about the data processing;

take appropriate measures to ensure the security and confidentiality of data collected by the company; and

implement these measures across all of their stores. In light of the breaches of article 34 and 35 of the DP Act, which persisted beyond the time limit set by the formal notice, the company was fined EUR 50,000 and the deliberation pronouncing this fine was published.

9 November 2015 (decision n°384673)

Néressis Editions (trade name : « PAP de particulier à particulier – le journal des particuliers ») ("Néressis Editions") Ruling of the Council of State (Conseil d’Etat)

Néressis Editions is a company whose main activity is to link individuals for the purchase and sale of real estate through its website www.pap.fr. The CNIL decided to perform an inspection of Néressis Editions after having been informed by the website www.leboncoin.fr, whose activity is similar to that of Néressis, of numerous complaints made by its users. This inspection revealed that Néressis Editions collected and processed personal data available in individual ads uploaded by individuals on competitor websites such as Leboncoin. After collecting such data, Néressis Editions engaged in commercial prospecting activities (text messages, emails, phone calls) targeting the individuals whose data had been collected. It offered to publish their ad for a fee. It should be noted that individuals had expressly opposed any commercial use of their personal data by ticking a specific box when they placed their ad on the Leboncoin website.

The Council of State found that: Néressis Editions had been proved to engage in

personal data collection activities without the knowledge of relevant data subjects, without prior information and in violation of numerous individuals’ refusal of any commercial prospecting; and

the fact that the right to object was expressed in a

general way (“I refuse any commercial prospecting”) had no impact on the validity of the relevant data subjects’ refusal.

The Council of State therefore rejected Néressis Editions’ request and held that the company had breached article 6-1° of the DP Act, which provides that data must be obtained fairly.

http://www.pap.fr/

http://www.leboncoin.fr/

18

The CNIL issued a formal notice summoning Néressis Editions to comply within three months with the French DP Act’s article 6-1° requirement that data be processed fairly. Specifically, the CNIL ordered Néressis Editions to cease the collection and processing of personal data of those individuals who published on a competitor website a real estate ad expressly objecting to commercial prospecting activities. Néressis Editions asked the Council of State to annul this decision for misuse of authority.

14 December 2015 (decision n°380847)

Mr. A…B… Ruling of the Council of State (Conseil d’Etat)

Under French law, when a legal aid request is made during legal proceedings, the secretariat of the legal aid office must notify the President of the court before which the proceedings are under way. Mr. A…B…, who had requested legal aid, asked for a screenshot to be sent to the President of the legal aid office at the Paris Court of Appeal, evidencing compliance with the aforementioned notification procedure. No action was taken in response to this request. Mr. A…B… therefore referred this issue to the CNIL, which rejected his complaint.

Mr. A…B… asked the Council of State to annul the CNIL's decision.

The Council of State stated that under the access right of article 39 of the French DP Act, a data controller is required only to communicate to data subjects personal data that concerns them, together with all available information about the sources of such data. The case law has consistently held that this provision does not require that documents should be communicated to the individual exercising his access rights. Rather, the relevant entity only has to communicate the relevant information. The Council of State also approved the CNIL’s interpretation that Mr. A…B…’s request could not be characterised as a personal data communication request. It held that this was a sufficient reason for the CNIL to justify its decision to reject the complaint. The Council of State therefore rejected Mr. A…B…’s request to annul the CNIL’s deliberation.

18 December 2015

(decision n°384794)

Ruling of the Council of State (Conseil d’Etat) LocCarDream

LocCarDream is a car rental company. Following an investigation carried out by the CNIL, LocCarDream was fined EUR 5,000 for failing to comply with the relevant formalities before a specific processing activity could start. The processing activity declared by LocCarDream (the geo-tracking of employees) did not correspond to the actual processing activity expected of it as a car rental company (the geo-tracking of rented vehicles).

In its decision, the Council of State noted that: the car rental contract upon which the initial

complaint was based had been signed by LocCarDream; and

the rental car geo-tracking data was accessible on a

19

The CNIL also required LocCarDream to: ensure the adequacy, relevance and proportionality of processed

data;

inform individuals about the geo-tracking of their vehicles; preserve the security of the data; and co-operate with the CNIL.

LocCarDream asked the Council of State to annul the CNIL’s deliberation, arguing that it could not be characterised as a data controller for the purposes of article 3 of the French DP Act, because it was not the owner of all the cars equipped with a geo-tracking device. This was key to determining whether or not LocCarDream had failed to comply with the relevant formalities before the processing activity began.

single workstation, the access password for which was known by LocCarDream’s director’s wife.

The Council of State consequently considered that LocCarDream determines the purposes and means of the processing, and acts as the data controller for the purposes of article 3 of the DP Act. It therefore rejected LocCarDream’s annulment request.

21 December 2015 (CNIL decision n°2015-454)

PROFILS SENIORS

PROFILS SENIORS is a marketing company, whose main activity is to collate a database of French “seniors”. This database contains the personal data of more than one million individuals and is leased to third parties for commercial purposes. The CNIL received a complaint from an individual related to PROFILS SENIORS’s failure to respond to his access request. The request concerned information relating to the complainant and his objection to the transfer of his personal data to third parties and to its r use for telemarketing purposes. Following the CNIL’s investigation, PROFILS SENIORS provided a satisfactory answer to the complainant. The CNIL thereafter decided to perform an onsite inspection of PROFILS SENIORS. The inspection revealed several breaches to the French DP Act: failure to perform the necessary preliminary filings with the

CNIL (article 22-I of the DP Act). PROFILS SENIORS could not

The CNIL issued a public warning.

20

rely on filings made by the company prior to its acquisition by PROFILS SENIORS given that PROFILS SENIORS had become the data controller upon purchase of the said company;

failure to respect the provisions concerning transfer of personal

data to third countries outside the European Union (articles 68 and 69 of the DP Act). Although PROFILS SENIORS used a Mauritius-based service provider which had access to the personal data held by the company, it had not obtained or even requested the CNIL’s prior authorisation;

failure to collect data fairly (article 6-1° of the DP Act). PROFILS

SENIORS had failed to properly inform relevant individuals about the real purpose of the data collection. The individuals who were contacted by PROFILS SENIORS thought they were contributing to a study on French household consumption whereas the real purpose of the call was to establish a database for commercial purposes;

failure to obtain the consent of data subjects for the processing

of their personal data by third parties (article L. 34-5 of the Postal and Electronic Communications Code). In particular, the CNIL noted that the information in the calling script was not sufficiently clear, precise and adequate to enable persons contacted by PROFIL SENIORS to understand, without ambiguity, that the main objective of the data collection was to establish a database for use by third parties for commercial purposes;

failure to ensure the security of the data (article 34 of the DP

Act); and

failure to preserve the security and confidentiality of the data managed by a processor (article 35 of the DP Act). No contract had been signed with the processor, and the contract signed with the database host did not contain any security or confidentiality clauses.

Although PROFILS SENIORS took corrective measures after the inspection, the CNIL considered that their ex post compliance did

21

not prevent it from considering that a number of relevant DP principles had been breached.

30 December 2015


Juricom Ruling of the Council of State (Conseil d’Etat)

Juricom is an association which provides legal advisory services, including access to legal directories. A number of legal professionals contacted Juricom to ask that their data be deleted from one such legal directory, on the basis of article 38 of the French DP Act (right to object). After Juricom failed to respond to their requests to delete their personal data, the legal professionals referred to the CNIL, which exercised its duties of inspection. Upon performing an onsite inspection, it found that there was no time limit for data retention. It consequently issued three subsequent formal notices, all of which Juricom failed to comply with. The CNIL therefore opened disciplinary proceedings, and on 29 January 2014 it imposed a financial sanction of EUR 10,000 on Juricom. Juricom asked the Council of State to invalidate the CNIL’s deliberation. It argued that: the president of the CNIL lacked the power to order an

inspection of Juricom’s data processing activities; the CNIL’s third and final formal notice infringed the principle

of impartiality contained in article 6 of the European Convention on Human Rights (ECHR) in that it already characterised actions as ‘failing to comply’ with the DP Act;

the CNIL’s procedure had breached the adversarial nature of the

sanctioning procedure and the principles of impartiality and equality of arms. This was because prior to the deliberation of 29 January 2014, in compliance with article 4 of the decree of 20 October 2005, a draft judgment was circulated to the members of the CNIL committee, but not to Juricom;

the CNIL’s third and last formal notice had failed to comply with

the timeframe set out in articles 45 of the DP Act and 73 of the decree of 20 October 2005. Its 10 day deadline complied with

The Council of State, examining each argument in turn, considered that: on the basis of two deliberations, respectively

establishing the bylaws of the CNIL (n°2006-147) and the powers delegated to its president and vice-president (n°2009-674), the president of the CNIL did have the power to order an inspection of Juricom’s data processing activities;

articles 13, 17, 45 and 46 of the DP Act established a

clear separation between the investigatory and sanctioning powers of the CNIL. The president of the CNIL, who issued the CNIL’s third and last formal notice, was not involved in the sanctioning procedure. Therefore, the principle of impartiality of article 6 ECHR had not been breached;

article 4 of the decree of 20 October 2005 was not

applicable to the CNIL’s sanctioning procedure. The argument that the CNIL’s procedure had breached the adversarial nature of the sanctioning procedure and the principles of impartiality and equality of arms was consequently dismissed;

the CNIL’s sanction was expressly based on the fact that details of the plaintiff data subjects had not yet been removed on the day of the hearing, i.e. 23 January 2014, rather than upon expiry of the timeline for compliance indicated in its formal notice (10 days from 27 November 2013). The timeframe requirements set out in articles 45 of the DP Act and 73 of the decree of 20 October 2005 were therefore not breached; and

22

the aforementioned articles. However, the notice was incomplete in that the Annex containing the list of new plaintiff data subjects requesting that their data be deleted from the legal directory was missing. It was only transmitted to Juricom’s lawyer 8 days later, leaving Juricom just 2 days to comply; and

the CNIL had wrongly characterised the data subjects’

professional details , which are publicly available, as ‘personal’ data as defined in article 2 of the DP Act.

the fact that details available in the legal directory were the professional contact details of the plaintiff data subjects, which were publicly available, did not prevent them falling within the scope of ‘personal’ data as defined in article 2 of the DP Act.

The Council of State rejected Juricom’s request to reverse the CNIL’s decision.

30 December 2015


Orange Ruling of the Council of State (Conseil d’Etat)

Orange is a French mobile network operator and internet service provider. On 18 April 2014, a server belonging to one of Orange’s sub-contractors, Gutenberg, was hacked. As a result, the personal data of 1.3 million clients and prospects of Orange were wrongfully accessed.

Orange duly notified the data breach to the CNIL in accordance with article 34 bis of the French DP Act. Thereafter, the CNIL conducted an onsite inspection and discovered a number of security shortcomings, on the basis of which it issued a public warning in a deliberation dated 7 August 2014.

Orange asked the Council of State to invalidate the CNIL’s deliberation. It argued that:

the deliberation had failed to include a mandatory specification specifying the composition of the Restricted Committee (formation restreinte) as described in article 77 of the decree of 20 October 2005;

Orange’s compliance with the data breach notification requirement of article 34 bis of the DP Act prevented any further sanction (including a public warning) from being pronounced against it on the basis of article 45 of the same Act; and

the CNIL had breached articles 47 and 48 of the Charter of Fundamental Rights of the European Union, which respectively establish the rights to an effective remedy and to a fair trial, and the presumption of innocence and defences rights. By

The Council of State, examining each argument in turn, considered that:

no legal text established that the composition of the Restricted Committee as described in article 77 of the decree of 20 October 2005 was a mandatory specification to be included in the CNIL’s deliberation. Further, the requirements of article 77 had not been breached and so the argument was dismissed;

there was no legal basis for Orange’s argument that its compliance with the data breach notification requirement of article 34 bis of the DP Act prevented any further sanction from being pronounced against it; and

it could not be said that Orange has contributed to its own incrimination in breach of articles 47 and 48 of the Charter of Fundamental Rights because the CNIL had not pronounced its sanction on the basis of the data breach notification but on that of security shortcomings identified during the onsite inspection.

Overall, the Council of State noted that delegating data processing activities to sub-contractors does not discharge the data controller from complying with its obligation to ensure that an appropriate level of security is maintained so as to prevent the personal data it holds from being

23

complying with the data breach notification procedure of article 34 bis, Orange had effectively contributed to its own incrimination.

accidentally or deliberately compromised. Orange had failed to comply with such obligations because it had not carried out a security audit, it had used unsecured means of transferring data to its sub-contractor Gutenberg, and it had not ensured that the safety instructions established in its contract with Gutenberg were respected by Gutenberg’s own sub-contractor.

On the sanction itself, the Council of State considered that the public warning was proportionate to the nature and gravity of the breach. In light of the nature of the data breach and of the considerable human and financial resources which Orange benefits from and could have used to prevent the breach, the Council of State declared that the sanction was justified. It consequently rejected Orange’s request to reverse the CNIL’s decision.

8 March 2016

(CNIL decision n°2016-053)

NC Numericable

NC Numericable is a cable operator and telecommunications services company. It is legally obliged, on the basis of article L. 34-1 of the Postal and Electronic Communications Code, to transmit its users’ technical data to the police and to HADOPI, a government agency tasked with ensuring compliance with French copyright laws. This information is used to identify IP addresses from which activities breaching copyright law are carried out.

Over the course of a period of 1 year and 9 months, an NC Numericable user was wrongly identified as breaching copyright laws 1,531 times, and was wrongly convicted 7 times. A police investigation identified that the problem was due to the malfunctioning of the software application used by NC Numericable to automatically identify the identity of the users of the IP addresses flagged as breaching copyright.

Upon discovering this malfunction, HADOPI referred the issue to the CNIL. Following its investigation, the CNIL decided to open a procedure against NC Numericable.

The CNIL found that NC Numericable had failed to comply with its obligation to ensure the accuracy of personal data, thus breaching

The CNIL issued a public warning.

24

article 6-4° of the French DP Act. In doing so, the CNIL:

rejected NC Numericable’s argument that the obligation under article 6-4° is an obligation to deploy one’s best efforts to ensure the accuracy of data. Instead, the CNIL considered that the obligation of article 6-4° is directed at f achieving a specific result – namely, that personal data be accurate; and

rejected NC Numericable’s defence that the high number of requests received from HADOPI and the police forced it to use a software application so as to automatically process them. NC Numericable had to comply with its legal obligations to transmit information to HADOPI and the police, and remained liable for the consequences of the malfunctioning of the software application used to do so.

Germany


February 2016 Various international companies based in Hamburg

In February 2016, the Hamburg Data Protection Commissioner, Johannes Caspar, announced in an interview that he would issue fines to companies which are still relying on the Safe Harbor scheme after the expiration of the January 2016 deadline set by the Art. 29 WP and local DPAs. The Hamburg DPA is currently preparing to commence proceedings against various international companies that are based in Hamburg. These proceedings are part of the three step plan that was issued by the DPA last November. The DPA announced that it will (i) first inform companies about the DPA's Safe Harbor judgment, (ii) then request information on US data transfers, and lastly, (iii) enforce the matter if necessary. It is still unknown who these companies are and what fines may be or may have already been issued, but the Hamburg DPA made it clear that fines will be issued. It is expected that the Hamburg DPA will provide further information once the proceedings have concluded.

25

Hong Kong


October 2015

A solicitor and the solicitor's firm

The Complainant had a shareholders' dispute with his friend, who is a solicitor at a law firm. The solicitor instructed the firm to act as her legal representative in the shareholders' dispute. Pursuant to the solicitor's instructions, the firm faxed to the Complainant a set of legal documents containing his personal data via a fax number linked to the Complainant's employer. The Complainant alleged that the fax number was that of the CEO and lodged a complaint to the Office of the Privacy Commissioner for Personal Data on the basis that disclosure had been made without his consent.

The Commissioner concluded that neither the solicitor nor the firm had taken any measure to ensure secure transmission of the legal documents to the Complainant, and this constituted a contravention of Data Protection Principle 4 of the Personal Data (Privacy) Ordinance.

An Enforcement Notice was served directing:

the solicitor and the firm to cease sending any document containing the Complainant's personal data to him via facsimile other than with his consent or as directed by court; and

the firm to prepare a written policy to prohibit the sending of legal documents which contain personal data to an insecure fax number other than with consent or as directed by court.

3 November 2015

Hong Kong Professional Health Group Limited ("HKPHG")

HKPHG was convicted of an offence under section 35G(3) of the Personal Data (Privacy) Ordinance for failure to comply with a request from its client to cease using his personal data in direct marketing (i.e. an opt-out request).

The case stemmed from a complaint made to the Office of the Privacy Commissioner for Personal Data. The Complainant was an ex-customer of the convicted company. Despite the Complainant's verbal and written opt-out requests, the convicted company still made a call to the Complainant.

A fine of HK$ 10,000.

26


30 December 2015

An individual

An individual was convicted, after trial, of the offence of providing the personal data of a person to a third party for use in direct marketing without taking specified actions and obtaining the person's consent, contrary to section 35J of the Personal Data (Privacy) Ordinance. This was the first conviction under this section.

The case stemmed from a complaint made to the Office of the Privacy Commissioner for Personal Data. The convicted individual, a real estate agent, obtained the Complainant's name and phone number at a social function. Without informing the Complainant or obtaining his consent, the convicted individual provided the information to an insurance agent for direct marketing. The insurance agent then called the Complainant on two occasions for direct marketing purposes.

A fine of HK$ 5,000.

January 2016

A beauty salon

The Complainant received a promotional offer for a beauty treatment at a beauty salon. Upon completion of the treatment, the beauty salon asked the Complainant to complete a registration form which requested, amongst other things, the Complainant's HKID number, date of birth and education level. The Complainant was also asked to sign a consent letter which requested her HKID number. The Complainant made a complaint to the Office of the Privacy Commissioner for Personal Data.

In relation to the registration form, the Commissioner found that the collection of the Complainant's personal data was unnecessary for the purposes of the treatment.

In relation to the consent letter, the Commissioner found that since the treatment was not performed by a registered doctor, the beauty salon was not entitled to collect the HKID number of its customers. The collection of the Complainant's HKID number was therefore excessive. The Commissioner concluded that the beauty salon contravened Data Protection Principle 1 of the Personal Data (Privacy) Ordinance.

An Enforcement Notice directing the beauty salon to take measures to rectify the breach.

27

Hungary

Date Infringing entity* Details of infringement Sanction(s) imposed

November 2015

SCnetwork Magyarország Kft. ("SCnetwork")

An individual submitted a complaint to the NAIH claiming that registration on the official SCnetwork website required the supply of an unreasonable amount of data. The NAIH launched an ex officio data protection proceeding.

The NAIH established that SCnetwork as data controller failed to provide adequate information to data subjects (e.g. concerning the identity of the data controller, the duration of the data processing etc.) in relation to the processing of their personal data, failed to make the privacy policy readily available on the SCnetwork website, and failed to make the privacy policy available prior to the commencement of data processing and before each important data processing action.

The NAIH imposed a fine of HUF 2,000,000 (approx. EUR 6,666) on SCnetwork and, in addition, ordered the infringing entity to fulfil the following obligations:

to inform data subjects adequately when gathering their data on the website and to amend the privacy policy in order to comply with relevant legislation; and

to inform those data subjects already registered about changes in the way their data would now be processed and to ask for their consent and confirmation in relation to consent they had given previously.

November 2015

MGM Laser Life Kft. ("MGM")

MGM organised product presentation events. The aim of these events was to promote and sell medical equipment. MGM contacted potential data subjects via flyers and asked for a considerable amount of health related personal data (typically related to health conditions and past illnesses). The NAIH initiated a proceeding against MGM.

MGM claimed that it did not process personal data belonging to event participants, since it destroyed data collection sheets following its events. The NAIH established that MGM as data controller did process participants' data because it collected and stored data. In addition, it found that MGM failed to provide adequate information to data subjects and that, among other things, it gave misleading information about the real purpose of the data processing (since it claimed that the purpose of the data processing was to organise health-related events, while in reality the data

The NAIH imposed a fine of HUF 2,000,000 (approx. EUR 6,666) on MGM and further to that ordered the infringing entity to fulfil the following obligations:

to stop processing health related data; and

to amend its privacy policy to provide sufficient information for data subjects on the purpose and circumstances of any data processing.

The fine in this case was sizeable because the infringements affected many individuals belonging to a sensitive group of consumers (elderly people) and because the entity committed the infringing activities regularly. A further aggravating circumstance was that the infringing entity did not cooperate with the authority during the

28


processing was directly linked to the sale of its products). proceeding.

The NAIH's decision was aimed at bringing these issues to the attention of companies organising product presentation events, and also at ensuring that such companies comply with the relevant laws. It was a mitigating circumstance that the infringing entity destroyed the data following the product presentation events and processed them only for a short period of time.

November 2015

EOS Faktor Magyarország Zrt. ("EOS Faktor")

Several individuals submitted complaints to the NAIH claiming that EOS Faktor was processing the data of individuals with whom it did not have any kind of legal relationship and asking them for help in contacting EOS Faktor's debtors for the purpose of the recovery of claims. According to the complainants, EOS Faktor contacted them via telephone and SMS, asking them to deliver messages to its debtors. When they asked EOS Faktor to delete their phone numbers from its database, it refused to do so. On the basis of the notifications received, the NAIH launched an ex officio data protection proceeding.

During the proceeding, EOS Faktor claimed that searching for alternative contacts in public databases (typically relatives, neighbours etc.) with a view to contacting its debtors was lawful. The NAIH established that individuals whose phone numbers can be found in public databases (e.g. phonebooks) had given their consent to be contacted via these numbers. However, such consent does not cover other data processing activities (e.g. recording, storage etc. of the data) and EOS Faktor should have asked for the data subjects' specific consent in respect of such data processing.

Therefore, the NAIH established that EOS Faktor had failed to comply with the requirement to provide adequate information to data subjects and was processing the data of third parties without

The NAIH imposed a fine of HUF 4,500,000 (approx. EUR 15,000) on EOS Faktor and also ordered the infringing entity to stop processing the data of persons who do not qualify as debtors.

29


any legal basis. In addition, EOS Faktor breached the relevant laws when it refused to delete the data of third parties upon their request.

Italy

Date Infringing entity Details of infringement1 Sanction(s) imposed

22 October 2015

Liceo scientifico statale Plinio Seniore

A national high school in the city of Rome used a CCTV system without providing the necessary information notice and omitting to notify the Italian Data Protection Authority in advance (pursuant to art. 37 of the Italian Data Protection Code, “Italian DP Code”).

The Italian Data Protection Authority fined the high school:

an amount of EUR 8,000 by way of a reduced pecuniary administrative sanction for failure to file the notification (art. 163 and 164-bis of the Italian DP Code); and

an amount of EUR 2,400 by way of a reduced pecuniary administrative sanction for failure to display the information notice (art. 161 and 164-bis of the Italian DP Code).

30


2 December 2015

Il Sole 24 Ore S.p.A. ("Il Sole 24 Ore")

During a radio show called “La Zanzara” on Radio 24, the radio show hosts phoned celebrities using a false identity (e.g. pretending to be friends or colleagues of the victims of these phone calls and using imitators to imitate their voices) in order to collect and broadcast live confidential information about them.

As a result of several claims, the Italian Data Protection Authority initiated a proceeding against the owner of the radio station (i.e. the company Il Sole 24 Ore), at the end of which the Authority held that the radio show hosts’ activities amounted to unlawful processing of personal data, because they breached the principle of fairness provided by art. 11 of the Italian DP Code, and because they were not covered by the exception under art. 2 of the Code of Conduct on data processing by journalists.

According to art. 2 of the Code of Conduct, journalists can hide their identities only in very limited circumstances (i.e. where it is necessary to do so for personal safety (preservation of life) or if it is essential to the investigation of matters of public interest). However, this does not mean that journalists can obtain information in a deceptive manner by masquerading as trustworthy persons.

The Italian Data Protection Authority ordered the company to immediately cease the use of deception in this way.

2 December 2015

Fendi S.r.l. ("Fendi")

Fendi filed an authorisation request before the Italian Data Protection Authority in order to obtain permission to retain data concerning the profiles of its customers (including details on their purchases) on its CRM for a period of 10 years - instead of the 12 months usually allowed by the Italian Data Protection legislation.

The Italian Data Protection Authority authorised Fendi to retain profiling data and details about customers’ purchases for a maximum period of 7 years (instead of the usual 12 months), provided that Fendi implements specific security measures and complies with specific obligations on consent and in relation to the information notice.

31


21 January 2016

Banca Monte dei Paschi di Siena S.p.A. ("Banca Monte")

Banca Monte filed a prior authorisation request with the Italian Data Protection Authority for the purposes of implementing a system aimed at detecting the presence and movement of its customers inside and outside its stores for marketing purposes, i.e. offering better services and products.

In particular, the system consists of three video systems:

a "Heatmap" system to "optimise the store layout", including the arrangement of the various points of delivery for services and for the generation of automatic alerts, for example, in the case of long waits;

a "People counter" system consisting of a camera system for counting persons who are in transit within the Bank; and

a "Dwell Time" system, able to count individuals "who watch the monitors placed in the store windows" and "the totem", as well as record how long individuals stay in front of the monitors/totems with the aim of assessing the attractiveness of advertisements which are on display.

The Italian Data Protection Authority judged the Banca Monte’s security measures to be sufficient and authorised the use of such systems by allowing Banca Monte to provide its customers with a simplified information notice.

32


4 February 2016

Enel Energia S.p.A. and Reitek S.p.A. ("Enel Energia" and "Reitek")

On 6 December 2011, the Italian Data Protection Authority ruled on the unlawfulness of the processing of personal data by means of silent calls as implemented by Enel Energia. (the data controller) and Reitek (the data processor) as part of Enel Energia’s telemarketing strategy.

In particular, the Italian Data Protection Authority required the two companies to adopt measures aimed at ensuring compliance with the fairness principle (art. 11 of the Italian DP Code), which included a prohibition on calling an identical number that has received a silent call within the past five days and on the use of comfort noise during periods when an individual is awaiting a response from an operator.

In addition, on 12 February 2015, the Italian Data Protection Authority fined Enel Energia an amount of EUR 200,000.

Both companies filed an appeal against this decision before the Italian Supreme Court of the first instance, however, this appeal was dismissed.

The Italian Supreme Court (Decision no. 2196/2016) dismissed the appeal filed by Enel Energia and Reitek. It ruled that prior and explicit consent is required for silent calls and phone numbers which are not listed in public registers. Indeed, according to the Supreme Court's decision, processing carried out by means of silent calls is equivalent to processing using “automated tools”. Therefore, the processing of personal data by means of silent calls falls under the scope of art. 130, par. 1 and 2 of the Italian DP Code, which requires the prior opt-in of the subscriber.

33

The Netherlands


3 November 2015

WhatsApp Inc. ("WhatsApp")

In January 2013, the DPA released a report on an investigation conducted in partnership with the Canadian DPA (the OPC) into the processing of personal data by WhatsApp. The DPA concluded that WhatsApp gained access to the phone numbers of non-WhatsApp users (stored in the electronic address book) through individuals' use of the WhatsApp application.

Following this investigation, WhatsApp now offers additional protection to non-WhatsApp users. WhatsApp now uses the telephone numbers of non-users in a different way and has changed its storage method. In the opinion of the DPA, the company now has a legal basis to process this data.

No sanctions were imposed.

Dutch press release:

https://autoriteitpersoonsgegevens.nl/nl/nieuws/cbp-niet-gebruikers-whatsapp-beter-beschermd

30 November 2015

Nike Inc. ("Nike")

Via its Nike+ Running app, Nike calculates running distances, velocity and times. In order to be able to make these calculations the app uses smartphone location data , among other things. The app also calculates calories burned and stride length, based on the gender, height and weight supplied by the user. Nike also calculates so-called 'Fuel points’ - Nike's own metric for the level of exertion - based on sensor data from the app.

According to the DPA's investigative report, Nike gave users of the app insufficient information about the processing of their health data. Nike also did not obtain the requisite, explicit consent from the users of its app.

As a result of this investigation, Nike has taken measures, and announced further measures to be taken. The Dutch DPA will examine these in the coming period to establish whether they are sufficient to ensure that Nike is no longer in violation of the law.

English press release:

https://autoriteitpersoonsgegevens.nl/en/news/translation-press-release-10-november-2015-nike-modifies-running-app-after-dutch-dpa

1 December 2015

Bluetrace BV ("Bluetrace")

Bluetrace provides technology to collect Wi-Fi signals from mobile devices in and around shops. Though this technology, the company collects location data of shoppers and passers-by without duly informing such individuals. Furthermore, Bluetrace collects and stores more data than is necessary for the identification of these data

No sanctions were imposed, and Bluetrace has announced that it has taken action following the investigation. CBP will check this in due course, and if relevant precautions have been taken, then no infringements will be recorded.






34


subjects. The DPA found that this kind of processing was in breach of the Dutch Data Protection Act.


https://autoriteitpersoonsgegevens.nl/nl/nieuws/cbp-wifi-tracking-rond-winkels-strijd-met-de-wet

10 December 2015

Zanox and TradeTracker (legal entities not made available)

Both Zanox and TradeTracker are so-called affiliate networks for online advertisements, acting as an intermediary or broker between advertisers and publishers. The Dutch Consumers and Markets Authority (ACM, which, for example, regulates cookies and matters involving spam) has involved these parties in measures to prevent the distribution of spam. They now require advertisers and publishers to demonstrate that they have explicit consent from consumers who wish to be sent commercial emails.

These networks will now have to begin checking whether advertisers and publishers have obtained such consent. In the absence of consent, no mass mailings will be able to be sent over these platforms, and offending advertisers and publishers may ultimately be excluded from the network. The networks will actively inform advertisers and publishers about the rules.

With these recent developments, the ACM sent out a clear message about the responsibilities of affiliate networks as regards email marketing. In addition to advertisers and publishers, affiliate networks, too, are responsible for sending email messages. It is worth noting that the ACM is currently conducting investigations into various other affiliate networks.

No sanctions were imposed.

English press release:

https://www.acm.nl/en/publications/publication/15053/ACM-has-taken-the-next-step-in-the-fight-against-spam/

14 January 2016

Facebook Inc. ("Facebook")

The Dutch DPA has begun an investigation into Facebook Inc. with respect to the company's new privacy policy. In what can be seen as a regulatory catch 22, the DPA requested certain information from Facebook to ensure that it is indeed competent to supervise Facebook, a request which Facebook disregarded as it believed that the regulator was not capable of asking for this information in the first place.

No sanctions were imposed, and the DPA's investigation into Facebook's new privacy policy is still on-going.


https://autoriteitpersoonsgegevens.nl/nl/nieuws/autoriteit-persoonsgegevens-last-onder-dwangsom-voor-facebook-herroepen








35


Following conditional penalties for Facebook regarding the above which were imposed, Facebook did provide the requested information. Subsequently the conditional penalties were retracted by the DPA.

19 January 2016

YD Display Advertising Benelux BV, formerly known as Yielder ("YD")

Previously, the DPA found that YD, an advertisement network, placed and read cookies without proper unambiguous consent. YD relied on an opt-out regime to obtain consent, which the DPA found to be insufficient: according to the DPA, the consent had to be unambiguous and come before the placing of any such cookies.

The DPA therefore imposed a conditional penalty on YD, demanding that YD ensure that it comply with the aforementioned requirement of prior unambiguous consent.

Interestingly, YD moved all of its assets (including any legal entities) to the UK. Subsequently, the Dutch DPA was unable to enforce the conditional penalty due to the geographical restrictions of its powers of enforcement. The Dutch DPA has informed the ICO about this case, in the hope that the ICO will assist in this matter.

YD was given a conditional fine of EUR 25,000, with the possibility of a maximum of EUR 500,000.


https://autoriteitpersoonsgegevens.nl/nl/nieuws/autoriteit-persoonsgegevens-sanctie-yd-voor-schending-privacywet

21 January 2016

A number of Dutch municipalities

Dutch municipalities make use of a system called Suwinet, which is used to share data among municipalities in relation to the work and income of individuals. The data include details regarding employment history, education, alimony, allowances and fines.

In its investigation, the DPA found that a number of municipalities did not provide adequate organisational and technical security measures for this sensitive data. Examples included misuse of the system to access such data concerning Dutch celebrities, and the contact details of former partners in a "Women's Shelter".

A number of municipalities have taken measures following the investigation or announced that they will take such measures. Over the coming months, the DPA will re-assess whether the municipalities have indeed implemented sufficient security measures, and it may resort to the use of enforcement measures if need be.


https://autoriteitpersoonsgegevens.nl/nl/nieuws/beveiliging-suwinet-verbeterd-na-onderzoek-autoriteit-persoonsgegevens







36


5 February 2016

Police authorities

A standard practice among certain regiments of the Dutch Police force was to obtain full lists of individual guests at hotels during investigations. This was an automated process, put in place between hotels and Police regiments. The DPA found that the Police should better tail0r such requests to the investigation at hand and conform to the specific investigatory powers held by them, instead of obtaining a full register of all hotel guests in advance.

The DPA sent a letter to the Dutch Police in which it explained its point of view.

No sanctions imposed, and the respective Police regiments have halted this practice following receipt of the letter. Other regiments have been informed of the new policies that were adopted following the DPA's letter.


https://autoriteitpersoonsgegevens.nl/nl/nieuws/politie-vraagt-nachtregisters-hotels-niet-meer-standaard-op

8 February 2016

A number of large health insurance companies

A number of insurance companies were requesting medical referral letters and plans for treatment from individuals, together with a privacy policy.

The DPA found that this was against the law, as this resulted in a transfer of medical data (such as diagnoses) being shared with these health insurance companies. The sharing of such data with health insurance companies is highly restricted and is generally prohibited. The DPA coordinated its findings with the Dutch Healthcare Authority.

The DPA sent a letter to the health insurance companies in which it explained its point of view.

No sanctions imposed and the companies halted this practice after receiving the letter.


https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-opvragen-verwijsbrief-verzekerde-met-privacyverklaring-mag-niet

16 February 2016

De Rooy Transport BV ("De Rooy")

The DPA has conducted research into a shipping company which filmed drivers in their truck during their journeys. When a truck made a sudden and abrupt movement, images were captured and stored. De Rooy used these images to challenge drivers about their driving, with the aim of improving their driving behaviours.

The DPA found that it is not proportionate to film drivers continuously during their working hours for this purpose, as the drivers will de facto be under constant supervision.

No sanctions imposed and De Rooy halted this pilot pending an interview.

Dutch press release: https://autoriteitpersoonsgegevens.nl/nl/nieuws/transportbedrijf-stopt-filmen-chauffeurs-na-onderzoek-autoriteit-persoonsgegevens






https://autoriteitpersoonsgegevens.nl/nl/nieuws/transportbedrijf-stopt-filmen-chauffeurs-na-onderzoek-autoriteit-persoonsgegevens



37

Poland


January 2016

Social media company ("X")

An individual published photos of prosecution case files on a social media site. The photos contained a significant amount of personal data, including the home address, national identification number (PESEL) and ID document number of a public figure.

GIODO challenged X's T&Cs according to which X's Irish entity ("X Ireland") is the data controller with respect to X's Polish users. GIODO stated that it is X's entity incorporated in the USA ("X USA") which decides on the rules of data processing within the X platform and therefore acts as the data controller.

GIODO found that despite the fact that it is X Poland which conducts business in Poland, its operation is inextricably linked with X USA, and X Poland is operating as an extension of X USA's business in Poland. Therefore, it is a duty of the Polish company to apply all the means necessary to ensure that data processed within the social media platform are processed in accordance with the Polish DP Act. The court invoked the Google Spain case to highlight the responsibility of Polish companies acting on behalf of global corporations.

GIODO ordered X Poland to delete the photographs of the complainant containing personal data because the data were being processed without a legal basis.

Pursuant to this decision, regardless of who the data controller is, if an entity is processing user personal data in Poland, the entity is bound by the Polish DP Act.

December 2015 (press article); date of decision unknown

Bank

Persons trying to contact the bank via the bank's website (who were not the bank's customers) had to give their consent to the processing of their personal data for marketing purposes in order to make contact with the bank. Users also had to consent to receiving marketing communications. Unless they consented, website users were unable to contact the bank.

Information presented to users on the website suggested there was a legal basis for requiring such consent to be given.

GIODO challenged the bank's practice. In its decision, the regulator held that consent was not freely given by website users because unless they provided consent for marketing and the receipt of marketing communications, users were unable to contact the bank.

GIODO also held that the information presented to users was misleading in that users could form the incorrect impression that they were under a legal obligation to provide consent for the processing of his/her data for marketing purposes and for receiving marketing communications.

38


February 2016

Telecoms operator

A leading telecoms operator was using the services of a third party provider (a call centre) to directly market its products to individuals without obtaining their prior consent. The call centre was using automated calling systems to make unsolicited marketing offers on behalf of the telecoms operator. Polish law (art. 172 of the Telecoms Law) prohibits such practices, unless prior consent has been given for marketing communications.

The practice was challenged by the President of the Office of Electronic Communications and the President of the Office of Competition and Consumer Protection. The telecoms operator claimed that the use of a third party call centre exempted them from liability.

The Polish Supreme Court held that using a third party call centre does not absolve telecoms operators from liability for the use of automated calling systems for direct marketing where there is no prior consent.

The telecoms operator is the entity that will be liable for the infringement and on which any fine will be imposed.

The judgment relates to telecoms operators; however, it will likely have an impact on entities in other sectors as well.

Spain


2 November 2015

Vodafone España, S.A.U ("Vodafone")

The Spanish branch of Vodafone checked the personal information of a former customer in a credit blacklist held by a third party.

Further to Article 6.1 of the Spanish Data Protection Act, personal data can only be processed in this context where the data subject has granted his unambiguous consent. Vodafone was not able to evidence that the data subject's consent had been provided for the processing operation which had been carried out (i.e. searching a third party's credit blacklist for the data subject's personal information).

Moreover, Vodafone was unable to justify why the data subject's personal information had been subject to such processing.

Processing personal data without having collected the data subject's consent is a serious infringement of the data protection legislation that, in this case, was subject to a fine of EUR 50,000.

39


6 November 2015

SEUR, S.A. ("SEUR")

SEUR, a major Spanish courier had disclosed, in error, personal data about several clients through the claims section available on its website.

Article 9 of the Spanish Data Protection Act (15/1999) states that the data controller shall establish the appropriate technical and organisational measures to guarantee the security of personal data and to prevent damage, loss, unauthorised processing or access, taking into account the state of technology, the nature of the stored data and the risks which the data is exposed to.

According to the Spanish DPA, SEUR failed to comply with Article 9 of the Spanish Data Protection Act.

Infringing Article 9 is considered a serious infringement of the data protection legislation and the fine imposed was EUR 10,000.

20 January 2016

Endesa energia S.A. ("Endesa")

Electricity company Endesa sent several commercial communications by SMS to a data subject who, afterwards, expressed his opposition to this kind of communication several times. Despite his objections, Endesa sent another commercial communication to the recipient.

In accordance with the Spanish E-commerce Act (34/2002), commercial communications may be submitted only where the recipient has given express consent and insofar as the recipient has not objected to the processing of his personal data for this purpose. Sending commercial communications without the user's express consent is a minor infringement that can become a serious infringement where the communications are sent systematically.

While the data subject stated that the commercial communications were systematic, the DPA stressed that the company had expressly confirmed to the data subject that he would no longer receive this kind of communication and, following his objection, he had received only one such communication. Thus, only one commercial communication could be considered as non-legitimate.

Sending commercial communications without the recipient's consent is a minor infringement of the e-commerce legislation and the imposed fine was EUR 30,000.

40


3 February 2016

Jazz Telecom S.A.U ("Jazz Telecom")

Telecom company Jazz Telecom mixed up the personal data of two different clients who were relatives. Even though the affected users notified the company about the mistake, the error had still not been corrected 4 months later.

Further to Article 4 of the Spanish Data Protection Act (15/1999), personal data processed shall be accurate and updated in accordance with the "quality principle".

The Spanish DPA emphasised that the company did not make any effort to correct its mistake.

Failing to comply with the quality principle is a serious infringement that, in this case, was subject to a fine of EUR 30,000.

Sweden


15 October 2015

AB Svenska Spel

("Svenska Spel")

Svenska Spel is the largest gambling operator in Sweden and is wholly owned by the Swedish State. Before June 2014, individuals could anonymously participate in Svenska Spel's gambling. Since June 2014, Svenska Spel has required individuals who wish to participate in gambling activities made available by Svenska Spel to register as a customer of Svenska Spel, with the exception of physical games (e.g. lottery tickets).

Individuals can either sign up as a customer through Svenska Spel's website or through an agent. Individuals who sign up through the website are informed that, by setting up an account, they consent to the processing of their personal data; further information regarding such processing is only available via a link. Svenska Spel therefore uses implied consent for the processing of its customers' personal data (i.e. the customers do not provide explicit consent). When an individual signs up via an agent, the individual provides his/her

The DPA required Svenska Spel to either cease the processing conducted in Playscan or seek the informed, unambiguous and explicit consent of its customers.

The DPA, furthermore, required Svenska Spel to halt the collection of personal data for the purposes of research, since the consent that had been given was not valid because customers had been provided with insufficient information to allow their consent to be informed.

41


personal data and then after consent has been given, receives a temporary customer card which includes information concerning Svenska Spel's processing of his/her personal data. Svenska Spel processes the personal data of its customers inter alia in order to counteract and prevent excessive gambling/gambling addiction, partly by letting customers limit their own gambling activities and partly by using a "responsible gambling" tool;

Playscan - Svenska Spel uses Playscan to conduct a risk assessment on all registered customers, even on customers that have not actively chosen to use Playscan. The assessment is based on information related to e.g. how the customer has played, which gambling activities he/she has participated in and how much, amount of money spent, net loss etc. Svenska Spel, furthermore, uses the personal data in Playscan for direct marketing purposes and discloses certain information for research purposes. However, the information provided to individuals about Playscan's processing does not include sufficient information to explain that data in Playscan may be used for direct marketing purposes, and the purposes of the research for which the data may be used are not clearly defined or specified.

The Swedish Data Protection Authority ("DPA") stated that information which concerns whether someone has a gambling addiction or is a compulsive gambler constitutes health related information i.e. sensitive personal data. Under the Swedish Data Protection Act ("PDA"), valid consent shall be inter alia informed, i.e. the data subject must have received the necessary information to enable him/her to assess the implications of the processing before consent is given, and when the processing includes sensitive personal data the consent needs to be explicit. The DPA concluded that Svenska Spel processes sensitive personal data without a valid legal ground since that consent which is given does not fulfil the requirements under the PDA as to how a valid consent shall be given.

18 November

The Children and

The Board provides teachers and students in primary schools

42


2015 Primary School Board of Täby municipality

(Sw: Barn- och grundskolenämnden i Täby kommun)

(the "Board")

within its municipality with a so-called Learning Management System, VKlass.

Teachers may use VKlass as a digital tool for educational work as well as for administration relating to educational work (e.g. to give students formative assessments, provide grades and register individual development plans). VKlass is a cloud service which is accessible over an open network after authentication with username and password.

The DPA stated that some of the information processed in the system, should, typically, be considered to be sensitive personal data relating to the students' personal circumstances, which demands a higher degree of security when processed. In general, when sensitive personal data or other personal data that can be considered as personally sensitive are communicated via an open network, the controller (i.e. the Board), should use strong authentication in order for the user to be able to access the data, e.g. e-identification, in order to prevent unauthorised access. The DPA concluded that authentication with username and password to access VKlass did not fulfil the security requirements under the PDA.

Students may use VKlass for school related purposes (e.g. to register assignments). However, VKlass also includes social features (e.g. a chat function) that the students may use for private purposes. Information derived from the social features was stored in VKlass and could be accessed by personnel of the school of the student.

The DPA stated that the Board has a legal ground for the processing of personal data in VKlass if the processing is necessary for the Board's performance of its duties (the education and the administration relating to the education). However, the DPA stated that the fact that the system includes social features for the students' private use and the fact that information derived from such use is stored and may be accessed, could be considered as processing in violation of the PDA, since such processing cannot be considered necessary for, or connected with, the Board's operations

The DPA required the Board to:

ensure that schools do not process personal data derived from the social features in VKlass which are not connected with the schools' operations since such processing is not conducted for a legitimate purpose; and

take measures to ensure that only the intended recipients can access personal data in Vklass, for example through the use of e-identification.

43


or the performance of its duties i.e. it cannot be considered to be conducted for a legitimate purpose.

17 February 2016

Södermalms District Committee

(Sw: Södermalms stadsdelsnämnd)

(the "Committee")

The Committee provides the Paragå system to its employees (nurses, auxiliary nurses and family caregivers) who are part of homecare in Södermalm and to the district's administration. Paragå is an IT platform that may be used within the healthcare sector and for homecare services.

It should be noted that the processing of personal data in the system falls within the scope of the Act on the processing of personal data within social services (2001:454) (the "Act") as well as within the scope of the PDA.

In Paragå, the Committee (through its employees) processes personal data, such as names, addresses, action plans and measures taken. Furthermore, Paragå has a free text field where medical records and work notes may be included. According to the DPA, the personal data processed in the system in some circumstances constitute sensitive personal data or integrity sensitive personal data.

During an audit the DPA found that family caregivers could access more personal data than necessary to enable them to perform their duties. This violated provisions of the Act which provide that personal data may only be processed if the processing is necessary in order to perform a work task within the social services. It was, furthermore, found that the Board neither logged any actions taken in the system nor conducted any log monitoring to check for possible unauthorised processing of personal data and that the system was accessible over an open network after authentication with username and password.

The PDA provides that the controller (i.e. the Committee) shall implement appropriate technical and organisational measures to protect the personal data that are processed. The measures shall provide a level of security that is appropriate with regard to e.g. the sensitivity of the personal data processed. In general, when

The DPA required the Committee to:

ensure that family caregivers cannot access any more data than is necessary in order for them to provide healthcare to their relatives;

log actions taken in the system and also establish a routine to regularly follow-up on the logs; and

ensure that, when access to personal data is permitted over an open network, the authentication methods used meet the requirement for strong authentication.

44


sensitive personal data or other personal data that can be considered as sensitive are communicated via an open network, the controller shall use strong authentication in order for the user to be able to access the data, e.g. e-identification, in order to prevent unauthorised access.

The DPA concluded that the fact that the Committee did not use logs and that the system was accessible through authentication with username and password did not fulfil the security requirements under the PDA.

Switzerland


January 4, 2016

Public transport union and SBB AG, Swiss Federal Railways

The SwissPass, the new electronic public transport card introduced in August 2015, is scanned by ticket inspectors on buses and trains, and the time of day, train or route number and pass number are all saved within 90 minutes to a database. The collection and storage of this passenger data was found to be disproportionate and without a lawful basis.

The FDPIC recommended that there should be clarification (in terms customers can understand) regarding who is the data controller and that the wording of the terms of services used to inform customers about the use of data for marketing purposes and about their opt-out rights should be improved.

Data processing to be stopped.

On October 22, 2015, the Swiss Data Protection Authority published a statement indicating that the Swiss Safe Harbor privacy framework is no longer sufficient and that companies need to implement stricter contractual controls when exporting personal data to the U.S. As in the EU, companies can rely on SCCs. However, the DPA considers that data subjects should be informed about transfers to the U.S. even though the law does not provide for such an obligation.

45

http://www.edoeb.admin.ch/datenschutz/00626/00753/00970/01320/index.html?lang=fr

By Sylvain Métille (HDC, Lausanne)

United Kingdom


30 September 2015

Home Energy & Lifestyle Management Ltd ("HELM")

An ICO investigation revealed that HELM had used an automated calling system to make over six million calls without subscriber consent as part of a massive automated marketing campaign offering "free solar panels". This investigation was triggered by over 200 complaints via the online reporting tool, and was found to amount to a serious and deliberate breach of regulation 19 of PECR. The ICO had previously written to HELM, and received assurance that it would not be running a similar campaign. In response to an ICO reminder that consent was required from each subscriber before making "automated calls," HELM admitted that it was not aware that a different PECR regulation applied to "automated" (rather than "live") marketing calls. They had therefore been adopting the same approach used in "live" calls.

A monetary penalty notice of £200,000 was issued.

http://www.edoeb.admin.ch/datenschutz/00626/00753/00970/01320/index.html?lang=fr

46


5 October 2015

Anglesey County Council (the "Council")

Two separate security incidents dating back to 2011 led to the ICO imposing undertakings which required an improvement in security and privacy practices. Subsequent audits in 2013 and 2014 revealed that the undertaking requirements had not been fully implemented. Although the Council stated that it had taken remedial steps in its response to the preliminary enforcement notice, the ICO had "limited confidence" in the Council's commitment to implement these on an ongoing basis given previous failures. ICO concluded that the Council had failed to comply with the seventh data protection principle by failing to take appropriate security measures. The likelihood of distress to the Council's data subjects was considered to be "self-evident".

The ICO issued an Enforcement Notice requiring the Council within 3 months to take steps to ensure that on an ongoing basis: data protection KPI's and measures are monitored

and acted upon; there is a mandatory data protection training

programme for all staff (including new starters) and refresher training annually – participation and completion to be recorded and documented;

policies are being read, understood and complied

with; information is backed-up to the external server on a

daily basis;

back-ups are tested periodically to ensure that they have not degraded and that information is recoverable;

physical access rights are revoked promptly when staff

leave and periodically reviewed to ensure that appropriate controls are in place;

the lack of adequate storage solutions for manual records is addressed; and

consistent and regular monitoring is undertaken to

enforce a clear desk policy.

47


8 October 2015

Nuisance Call Blocker Ltd ("NCB")

NCB, a company offering a cold calling prevention service, has been prosecuted for failing to respond to an ICO information notice.

NCB was ordered to pay a fine of £2500, a £120 victim surcharge and £429.85 prosecution costs.

20 October 2015

Pharmacy2U Ltd ("Pharmacy2U")

Pharmacy2U, the UK's largest NHS approved online pharmacy, was fined £130,000 for selling details of more than 20,000 customers to marketing companies in breach of the Data Protection Act. The ICO considered that Pharmacy2U's online registration form and privacy policy did not inform its customers that it intended to sell details on to third parties. Such actions would not be within a customer's "reasonable expectations", even if they were willing to agree to receive marketing material from the company itself. Not only did this mean that such processing was unfair, but the failure to obtain informed consent to such a transfer meant that there was no lawful basis for processing under Part I, Schedule 2 DPA. The ICO was also satisfied that it constituted a "serious" contravention "due to the context in which the personal data was unfairly processed, the number of individuals affected (21,500) and the purposes for which the data was used".


27 October 2015

Help Direct UK Ltd ("Help Direct")

A marketing campaign consisting of thousands of unsolicited marketing text messages prompted 6,758 complaints in just one month. As Help Direct is a "lead generation company", these related to a variety of services being offered, including the reclaim of PPI payments, bank refunds and loans. The ICO previously issued Help Direct with an enforcement notice on 24 February 2015, after a finding that its sending of unsolicited marketing material without consent breached regulation 22 of PECR. The practice continued after this date. The scale of the operation over a short period of time meant that this contravention was "serious". The ICO also found that Help Direct


48


was "fully aware" of its obligations under regulation 22 and had taken active steps to use methods known in the marketing industry to assist in avoiding detection by mobile networks' spam detectors (i.e. using unregistered SIM cards and dongles).

4 November 2015

Space Systems Ltd ("Space Systems")

Space Systems, a storage solutions company, has been prosecuted at Manchester Magistrates' Court for failing to carry out an ICO registration (contrary to s.17 DPA).

Space Systems pleaded guilty to the offence and was fined £500. It was also ordered to pay £440 costs and a £50 victim surcharge.

4 November 2015

The Crown Prosecution Service ("CPS")

The CPS was fined £200,000 after laptops containing police interview videos were stolen from a private film studio. Lost data concerned interviews with 43 victims and witnesses – involving 31 investigations. The vast majority of these investigations were ongoing, and of a violent or sexual nature. Some related to historical allegations against a high profile individual. The CPS had entered into an agreement whereby a private studio edited videos of police interviews so that they could be used in criminal proceedings. Unencrypted DVDs containing the videos were sent using a national courier firm. In urgent cases, the sole proprietor of the studio would collect such DVDs and deliver them to the premises himself using public transport. The private studio was situated in a multiple-occupancy residential block. There was a simplex lock on the communal door, the CCTV did not work and the studio was not alarmed. Three unencrypted laptops which had been left out on desks were stolen when an opportunistic burglar gained access to the studio. On these facts, the CPS was found to have failed to take appropriate technical and organisational security measures, in contravention of the seventh data protection principle. According to the ICO, it should have monitored the outsourced processing activity, obtained security guarantees and implemented a DPA compliant processing agreement.


49


10 November 2015

Oxygen Ltd ("Oxygen")

The ICO received 214 complaints between 25 March 2015 and 28 April 2015 regarding automated calls offering debt management services. The sender or instigator of the communication was not identified in the calls. Upon investigation, the ICO determined that the telephone numbers used to make the automated calls were those of Oxygen. In June 2015, the ICO asked Oxygen questions relating to its compliance with PECR and reminded the company of its regulation 19 obligation and the ICO’s enforcement powers. In response, Oxygen Ltd claimed that the automated calls were made by a third party organisation on Oxygen’s behalf. Oxygen claimed that it had been told by the third party that calls would be screened against the Telephone Preference Service. Oxygen also stated that it had purchased its call list from a third party and had been informed that the data was “opted-in”. The ICO subsequently wrote to Oxygen to re-state that, to comply with regulation 19 PECR, consent is required for automated marketing calls. As the instigator of the calls, Oxygen is responsible for ensuring that the necessary consent has been obtained; relying on the undocumented assurances of a third party is insufficient. The ICO was satisfied that the contravention was serious: 1,015,268 calls were made in less than one month to subscribers without their prior consent and the automated calls were misleading (as they implied that they were part of a government initiative). The ICO determined that automated calls were deliberately sent or instigated.

A monetary penalty of £120,000 was issued.

13 November 2015

Aston James Consulting Ltd trading as ‘The CV Writers” ("Aston James")

Aston James was prosecuted for failing to notify its processing to the ICO (in contravention of s.17 DPA 1998) and failing to respond to an information notice (in contravention of s.47 DPA 1998).

Fine of £1,250 and ordered to pay costs of £619.85 plus a victim surcharge of £75.

50


13 November 2015

Sirona Care & Health (“Sirona”)

An email containing sensitive personal data (such as names, dates of birth, NHS numbers, addresses and medical details) about three service users was sent to the wrong email address. The intended recipient was a member of staff, but the sender accidentally selected the email address of former service user who shared the same first name. The email address of the former service user had been saved but not subsequently deleted. Sirona had implemented data protection policies and procedures, but the ICO found that these did not offer substantial guidance on verifying email addresses and did not require employees to delete irrelevant email addresses, so were not deemed to be fully effective. Whilst induction and annual mandatory information governance training is provided by Sirona, the ICO found that the employee in question had not received this training for over two years. The ICO also found that only 66% of staff had received up to date training. The ICO had previously expressed concerns that Sirona could not demonstrate that employees completed information governance training annually and that employees might not have been sufficiently aware of Sirona’s data protection policies and procedures. Consequently, the ICO found that Sirona may not have taken sufficient steps to act on previous advice.

Sirona gave an undertaking to:

ensure mandatory annual data protection refresher training is implemented for all staff who routinely process personal data;

ensure that the completion rate of data protection training is monitored and implement appropriate follow-up procedures for staff in cases of non-compliance; and

review policies to ensure that staff are provided with

appropriate guidance on email-checking procedures. Policies should be readily accessible to employees.

23 November 2015

Falkirk Council (the "Council")

An individual made a subject access request to the Council. The bundle of documents sent to the individual by the Council in response contained some documents pertaining to an unrelated third party, which had been incorrectly filed. The documents were not checked to ensure that only information relevant to the individual who had made the request were disclosed. During its investigations, the ICO learned that only 11.4% of employees had completed one or more sections of the Council’s data protection training modules.

The Council gave a undertaking to take the following steps: within 9 months, provide training to all staff members

handling personal data as part of their role. Training will be mandatory and refreshed annually;

within 6 months, implement a system for monitoring

attendance/completion of training (including steps to be taken when training has not been

51


attended/completed); within 6 months, improve guidance to be issued to

staff who routinely handle subject access requests (including details on how third party data should be dealt with); and

within 6 months, produce a high level data protection policy, setting out the data controller’s commitments to protection of personal data and general standards to which it will adhere. This will be communicated to all staff within 1 month of completion.

23 November 2015

UKMS Money Solutions Limited (“UKMS”)

UKMS offers PPI compensation claim services. Between 6 April 2015 and 10 June 2015, 1,405 complaints were made to the GSMA’s spam reporting service and 37 complaints were made to the ICO. In June 2015, the ICO wrote to UKMS with questions about UKMS’s PECR compliance and warning of the ICO’s enforcement powers. UKMS responded that it had purchased the data used for the text messages from third party suppliers and that messages were only sent to individuals who had opted-in. In July 2015, the ICO wrote to UKMS explaining that it was the responsibility of the sender of the direct marketing material to ensure PECR compliance (regardless of assurances received from third party suppliers). The ICO also requested that UKMS produce evidence of the consents upon which it relied in respect of the April and June complainants. UKMS provided the ICO with the consent wording relied upon by the third party suppliers, but this was found to be insufficient to amount to consent for the purposes of regulation 22 PECR. The ICO was satisfied that the contravention was serious: a total of

A monetary penalty of £80,000 was issued.

52


1,320,000 direct marketing messages were sent to individuals who had not consented to receiving such communications. Whilst the ICO did not find that UKMS had deliberately contravened PECR, the ICO concluded that it was reasonable to suppose that UKMS should have been aware of its responsibilities in relation to direct marketing (particularly given that the nature of UKMS’s business and the fact that the problem of unsolicited text messages is widely publicised).

25 November 2015

Nuisance Call Blocker Ltd (“NCB”)

The ICO received numerous complaints via the TPS and from individuals directly who are subscribers to specific telephone lines, alleging that they had received unsolicited marketing calls on those lines from NCB. These calls were made by NCB in order to sell a call-blocking service and a device to stop unsolicited calls, the exact same type of calls that NCB itself was making. Each individual stated that they had previously notified NCB that such calls should not be made on that line and/or had previously registered their number with the TPS. The ICO found that NCB had between 7 April 2015 and 22 July 2015, NCB used a public telecommunications service for the purposes of making 309 unsolicited calls for direct marketing purposes to subscribers where the number allocated to the subscriber in respect of the called line was a number registered with the TPS, contrary to regulation 21(1) (b) of PECR.

A monetary penalty notice of £90,000 was issued. An Enforcement Notice was also issued requiring the company to stop making calls to lines of subscribers who have: (1) previously objected to such calls or; (2) registered with the TPS.

25 November 2015

Telecom Protection Service Ltd ("Telecom Protection")

The ICO found that between 26 September 2013 and 24 July 2015, Telecom Protection used a public telecommunications service for the purposes of making 839 unsolicited calls for direct marketing purposes to subscribers where the number allocated to the subscriber in respect of the called line was a number registered with the TPS, contrary to Regulation 21(1) (b) of PECR.

The ICO issued an Enforcement Notice requiring Telecom Protection to stop making calls to lines of subscribers who have: (1) previously objected to such calls or; (2) registered with the TPS, within 35 days of the date of the notice. AND

53


The ICO found that the "seriousness" conditions in s 55A DPA had been met and, therefore, issued a monetary penalty on that basis. The ICO also found that Telecom Protection had breached Regulation 21 of PECR under exactly the same circumstances as outlined above in relation to NCB.

A monetary penalty notice of £80,000 was also issued.

25 November 2015

Leeds Community Healthcare NHS Trust (the "Trust")

The ICO was provided with a report from the Trust, as the data controller, that two letters containing sensitive personal data relating to one patient had been included in the response to another person’s subject access request. The error occurred due to several factors. In the first instance the letters in question were filed incorrectly. Several opportunities to identify the wrongly filed letters were then missed before the information was sent. The ICO further discovered that temporary staff did not necessarily receive any data protection training, unless they were employed by the Trust for over three months. The Trust’s policies also set out that Information Governance training, which includes data protection, was only refreshed every three years. The Trust has now undertaken to ensure that personal data is processed in accordance with the Seventh Data Protection Principle and, in particular, that all staff processing personal data on its behalf (whether permanent or otherwise) are provided with sufficient data protection training before they carry out work that involves regular contact with personal data, especially sensitive personal data.

The Trust gave an undertaking to secure compliance with the Seventh Data Protection Principle. This requires the Trust to, inter alia: ensure all staff involved in processing personal data

receive sufficient and compulsory data protection training – such training to be logged, monitored and refreshed annually;

issue those handling subject access requests with dedicated training; and

implement such other security measures as are appropriate.

26 November 2015

Direct Security Marketing Ltd ("Direct Security") (and its director Antonio Pardo)

Direct Security failed to notify its processing to the ICO in breach of s.17 DPA. Its sole director had been negligent in allowing the company to commit the offence and was therefore also liable for the offence further to s.61 DPA.

Direct Security was fined £650, ordered to pay costs of £492.78 and a £65 victim surcharge. The director was fined £534, ordered to pay £489.08 costs and a £53 victim surcharge.

54


4 December 2015

Northumbria Healthcare NHS Trust (the "Trust")

The ICO conducted a "follow-up" assessment of the actions taken by the Trust in relation to an undertaking it signed in April 2015. This was an undertaking to comply with the seventh data protection principle. The ICO found that the Trust has taken appropriate steps by:

implementing procedures to ensure that breaches of security are acted on promptly and remedial measures are strictly enforced;

implementing a fax procedure across all wards and monitoring

regularly to ensure consistent standards; making clear the process around the use of safe haven fax

machines; and implementing other appropriate security measures, such as a

'Task and Finish Group' to look at the use of fax machines around the Trust.

55


9 December 2015

Aurangzeb Iqbal

The ICO received numerous complaints in relation to unsolicited marketing calls received from individuals acting on behalf of Mr Iqbal. The ICO found that Mr Iqbal had contravened Regulation 21 of the Privacy and Electronic Communications Regulations 2003.

The ICO issued an Enforcement Notice requiring that Mr Iqbal should: neither use, nor investigate the use of, a public

electronic communications service for the purposes of making unsolicited calls for direct marketing purposes where the called line is that of:

(a) a subscriber who has previously notified Mr Iqbal

that such calls should not be made on that line; and/or

(b) a subscriber who has registered their number with the TPS at least 28 days previously and has not notified Mr Iqbal that they do not object to such calls being made.

10 December 2015

Zita Driaunevicius-Cookson

Zita Driaunevicius-Cookson, a former medical practice director, was prosecuted for accessing the medical records of colleagues and members of their family without consent.

She was fined £300, ordered to pay costs of £434.73 and a victim surcharge of £20.

11 December 2015

The Universities and Colleges Admissions Service ("UCAS")

The ICO conducted a "follow-up" assessment of actions taken by UCAS following an undertaking given in April 2015 to comply with the first data protection principle. The ICO found that UCAS has taken the following appropriate steps:

new commercial mailing "opt-ins" have been launched in all UCAS admission schemes. The opt-ins allow applicants to choose to receive further information relating to education, careers and health separately from commercial products and offers;

new "Applicant Declarations" have been produced, providing

56


clearer and more in-depth information about the uses of personal information within each scheme. The declarations also reflect the nuances in terms of data collected and shared within each scheme. A new, more detailed privacy policy has also been developed; and

user testing was conducted in respect of the privacy policies and

applicant declarations.

17 December 2015

Iheanyi Ihediwa

Iheanyi Ihediwa pleaded guilty to offences involving buying personal data.

Ihediwa was fined £1,000, ordered to pay prosecution costs of £864.40 and a victim surcharge.

18 December 2015

Bloomsbury Patient Network ("BPN")

BPN is a specialist HIV treatment centre. BPN regularly sends newsletters via email to inform users of upcoming events. On 17 February 2014, BNP sent an email to between 60 – 200 service users who all had HIV. The email addresses were entered into the "to" field instead of the "bcc" field. Therefore, the recipients of the email could see the email addresses of all the other recipients. There was no formal guidance or training to remind employees to double check that the group email addresses were entered into the correct field. A similar error was made on 6 May 2014. The recipients of an email could infer the HIV status of the other recipients. BPN serves a small geographical area; it is therefore possible that the affected individuals may know one another. The names in the email addresses also make it possible for the individuals to identify one another. Given the first breach, BPN ought reasonably to have known that the group email addresses would be vulnerable to a security breach. BPN also ought to have known that such a breach would cause substantial distress and failed to take reasonable steps to prevent the contravention.

A monetary penalty notice of £250 was issued. The ICO considered the following mitigating circumstances: has been fully co-operative with the ICO; BPN apologised to the affect individuals;

BPN has now taken substantial remedial action; and

there will be a significant impact on BPN's reputation as a result of the breach.

57


21 December 2015

Telegraph Media Group (proprietor of "The Telegraph")

The Telegraph transmitted unsolicited communications by means of electronic mail to individual subscribers for direct marketing purposes, contrary to Regulation 22(2) of PECR. In May 2015, The Telegraph had planned to send its regular "morning briefing" bulletin to those readers who had subscribed to receive editorial content emails. Prior to the bulletin being sent, The Telegraph's data team received a last minute instruction that a letter from the editor, urging the newspaper's readers to vote for the Conservative party in the general election, would be included in the bulletin. The data team complied with the instruction and sent the bulletin and letter to the subscribers to the "editorial content" mailing list. Some of these readers had opted-out of receiving marketing communications from The Telegraph and some had not. For those that had not opted-out, the soft opt-in rule would normally apply. However, the soft opt-in rule does not apply to non-commercial promotions, including political campaigning. The ICO therefore found that The Telegraph had contravened Regulation 22(2) of PECR.

A monetary penalty notice of £30,000 was issued. The ICO considered the following mitigating circumstances: the contravention was unprecedented; the contravention was unlikely to cause substantial

damage or distress to the Telegraph's readers;

the Telegraph has taken substantial remedial action;

the Telegraph fully co-operated with the Commissioner's office; and

there is potential for significant damage to the

Telegraph's reputation as a result of this contravention which may affect future business.

58


23 December 2015

Croydon Health Services NHS Trust (the "Trust")

The outcome of a complaint made by a patient was sent to the wrong address. The documents sent erroneously included sensitive personal data, comprising clinical information, relating to the patient. Upon investigating, the ICO discovered that the error had been made by a temporary employee who had not received the appropriate training and guidance for the role they were expected to fulfil.

The Trust gave an undertaking to ensure that:

information governance training targets are given priority and are subject to regular ongoing review;

all Complaints Team staff receive data protection

training annually; attendance at data protection training sessions is

monitored; review of data flows and an information risk

assessment are completed;

procedures for checking correspondence should be captured in a clearly written document and notified to all relevant staff;

the implementation of recommendations from

incident reports is reviewed; and it provides evidence of the implementation of these

measures by 31 March 2016.

59


4 January 2016

South West Yorkshire Partnership NHS Trust (the "Trust")

The ICO conducted a "follow-up" assessment of the actions taken by the Trust in relation to an undertaking it gave in May 2015 to comply with the seventh data protection principle. The ICO found that the Trust has taken appropriate steps by:

updating the Safe Haven Policy to include guidance on creating local validation check procedures for outgoing correspondence;

reviewing its processes for managing incidents and amending

the incident reporting form; re-grading all Information Governance incidents as amber to

ensure the appropriate level of investigation is undertaken; organising a 'Think Information Governance' campaign with the

intention of raising awareness amongst staff; and

developing new classroom-based information governance training to be more relevant for staff.

However, the ICO considered the Trust should take further action as follows: satisfy requirements in relation to the Safe Haven

Policy and make the policy available to staff, flagging key amendments;

ensure processes relating to checking contact details

of correspondence are implemented in all Trust areas; and

communicate changes (e.g. mandatory amber

identifier for information governance incidents) to all staff as soon as practicable.

7 January 2016

The Alzheimer's Society

After a security breach that occurred in February 2010, the ICO discovered a second breach in April 2015. The ICO considers that the fifth and seventh data protection principles were breached.

The ICO issued an Enforcement Notice requiring the Alzheimer's Society, within 6 months to take steps to ensure that: personal data is not kept for longer than necessary; a data protection training programme is made

mandatory for all staff and that refresher training occurs at least every two years;

completion of the training should be monitored; data protection policies and procedures are notified to

all staff;

60


portable devices that store and transmit personal data

are encrypted; all staff are given secure email accounts; all staff are given secure storage facilities;

manual checks are made to identify vulnerabilities on the data controller's website;

appropriate organisational and technical measures

are taken against unauthorised access by staff; and paragraphs 11 and 12 of Part II of Schedule 1 to the

DPA are complied with where a data processor carries out processing on behalf of the data controller.

8 January 2016

Sindy Nagra

A former Enterprise Rent-A-Car employee was prosecuted for unlawfully obtaining, disclosing and selling personal data. This is a criminal offence under section 55 of the Data Protection Act. She pleaded guilty to selling around 28,000 customers' records for £5,000.

She was fined £1,000, ordered to pay a £100 victim surcharge and £864.40 prosecution costs.

18 January 2016

Rochdale Borough Council ("RBC")

The ICO conducted a "follow-up" assessment of the actions taken by RBC in relation to an undertaking it signed in July 2015 to comply with the seventh data protection principle. The ICO found that RBC has taken appropriate steps by: ensuring all new starters complete data protection training

within 15 working days;

ensuring all staff are required to complete refresher training

In addition to the steps already taken, the ICO considered RBC should also: consider the nature of a new starter's role when

prescribing the length of the deadline to complete training e.g. a shorter deadline may be more appropriate for those employees dealing with personal data on a regular basis.

61


every 2 years; ensuring training is mandatory for all new starters, including

agency staff; and

updating guidance relating to keeping personal information secure when taking it out of the workplace.

27 January 2016

Kings College London ("KCL")

The ICO conducted a "follow-up" assessment of the actions taken by KCL in relation to an undertaking it signed in July 2015 to comply with the seventh data protection principle following a security incident in which a spreadsheet containing personal data, including exam results, of 1831 students and applicants was sent in error to 22 students. Upon recent inspection, the ICO was satisfied that KCL had "taken appropriate steps and put plans in place to address the requirements of the undertaking and to mitigate the risks highlighted".

The ICO considered KCL should continue to implement the requirements of the July 2015 undertaking.

29 January 2016

The Mint Condition Media Ltd trading as Hot Leads Factory ("MCM")

The ICO received a complaint from a data subject concerning MCM's failure to respond to a subject access request made on 12 May 2015. The ICO assessed this complaint, holding that:

MCM had contravened the sixth data protection principle, namely that personal data must be processed in accordance with rights of the data subject;

MCM had failed to properly respond to a legitimate subject access request without undue delay; and

this breach was likely to cause damage or distress to the

complainant; the failure "denied the data subject the opportunity of correcting inaccurate personal data about

The ICO issued an Enforcement Notice requiring MCM, within 30 days, to properly respond to the subject access request, in compliance with s.7 of the Data Protection Act.

62


him…because he is unable to establish what personal data are being processed, within the statutory timescale."

29 January 2016

Martyn F Arthur Forensic Accountant Ltd ("Martyn F Arthur")

The ICO received a complaint from a data subject concerning Martyn F Arthur's failure to respond to a subject access request made on 25 March 2015, in accordance with s.7 DPA. The ICO assessed this complaint, holding that: Martyn F Arthur had contravened the sixth data protection

principle, namely that personal data must be processed in accordance with rights of the data subject;

Martyn F Arthur failed to properly respond to a legitimate

subject access request without undue delay; and

this breach was likely to cause damage or distress to the complainant; the failure "denied the data subject the opportunity of correcting inaccurate personal data about him…because he is unable to establish what personal data are being processed, within the statutory timescale."

The ICO issued an Enforcement Notice requiring Martyn F Arthur, within 30 days, to properly respond to the subject access request, in compliance with s.7 of the Data Protection Act.

3 February 2016

Community Transport Ltd ("Community Transport")

The ICO conducted a "follow-up" assessment of the actions taken by Community Transport in relation to an undertaking it signed in July 2015. This was an undertaking to comply with the fifth and seventh data protection principles, following the loss of a backup hard drive containing the data of 4,138 subjects. The ICO found that: the requirement to use encryption software on all portable

devices used to transmit personal data had not been completed as a prerequisite database upgrade was needed. The ICO advised that this should be prioritised;

storage and personal data policies had been improved and

The ICO's conclusion was that further work needed to be completed to fully address the actions agreed in the undertaking given by the company.

63


revised guidelines for staff had been created; there was no evidence of compliance with a requirement that

data retention policies should be updated;

there was no evidence that staff handling personal data had been given appropriate training which was refreshed regularly; and

backup hard disks were still manually removed from the site

(although Community Transport insisted that the data were not accessible without the corresponding software). Nevertheless, the ICO recommend encryption or replacing the system with a cloud-based solution.

17 February 2016

MyIML MyIML’s business involved making unsolicited marketing calls to individual subscribers in order to sell solar panels and other green energy saving equipment.

In November 2013, MyIML was identified by the ICO as being the subject of a large number of complaints about unsolicited marketing calls.

Despite discussions with and warnings given to MyIML, between 9 October 2013 and 17 July 2015, the ICO established that MyIML used a public telecommunications service for the purposes of making 1048 unsolicited calls for direct marketing purposes to subscribers where the number allocated to the subscriber in respect of the called line was a number listed on the register of numbers kept by OFCOM in accordance with regulation 26, contrary to regulation 21(1) (b) of PECR.


17 February Direct Security DSM provides a range of marketing services to its clients. A monetary penalty notice of £70,000 was issued.

64


2016 Marketing Ltd ("DSM") The Commissioner’s office received 49 complaints via the online reporting tool. The gist of the complaints was that automated marketing calls were received by subscribers early on 24 August 2015, inviting them to purchase a security system. The calls were made from a withheld number and did not identify the sender.

Subsequently, the Commissioner’s office established that Direct Security instigated 39,214 automated calls on 24 August 2015, although the calls were only connected to approximately 12,000 subscribers. DSM instigated 9,775 of those calls between the hours of 01:00 and 06:00 in the morning.

24 February 2016

Western Health and Social Care Trust (the "Trust")

The ICO conducted a "follow-up" assessment of the actions taken by the Trust in relation to an undertaking it signed on 28 April 2015.

The review found that the Trust had taken appropriate steps and put plans in place to address some of the requirements of the undertaking but that further work was needed to fully address the agreed actions.

In particular, the Trust confirmed that it had taken the following steps:

the Trust’s ICT Disposal Policy was reviewed. The amended policy now sets out conditions for redistribution of ICT equipment. The policy is currently going through the Trust’s approval process and final Trust Board approval is expected in March 2016;

PCs and laptops that are scheduled for disposal will now have their hard disks removed; the Trust will use two different waste management companies for the disposal of hard disks. Disks will be shredded and certificates of destruction will be provided; and

The Trust was advised to take further action in relation to staff training. The Trust's was aiming for an end of year completion rate of 25%. However, the ICO considered that the Trust should aim to have all members of staff, whose role involves the routine processing of personal data, appropriately trained as soon as possible.

65


the Trust will develop a bespoke training package to address the SAR issues highlighted. The training is currently under development and will build on the existing guidance to cover all aspects in relation to the protocol for processing and copying patient data for release. This will include areas such as checking, identification, redaction and process to follow for misfiling and removal of 3rd party data.

26 February 2016

British Red Cross British Red Cross has signed an undertaking committing the charity to best practice in relation to fundraising calls.

This action followed an article published in the Daily Mail on 7 July 2015, as a result of which the Commissioner launched an investigation into the direct marketing practices of the charity sector.

An undertaking was given committing the British Red Cross to comply with Regulation 21 PCR and in particular to: implement an “opt-in” consent model for live

telephone marketing calls within 12 months (i.e. consent based on a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of an individual’s agreement to personal data relating to them being processed in this way); and

ensure that data used on the basis of consent is

subject to a 24 month expiration period, in line with its business needs, after which time, the British Red Cross will only make live telephone marketing calls upon gathering fresh, specific and informed consent from the individual.

66


28 February 2016

Preferred Pension LLP ("Preferred Pension")

Between June 2014 and 23 July 2015, the Commissioner received complaints from individuals who alleged that they had received unsolicited automated marketing calls.

The Commissioner subsequently established that Preferred Pension had instigated the sending of millions of nuisance calls.

The ICO issued an Enforcement Notice requiring Preferred Pension within 35 days to:

neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of an automated call unless the recipient of the automated call has previously notified Preferred Pension that he consents for the time being to such communications being sent by, or at the instigation of Preferred Pension; and

neither transmit, nor instigate the transmission of a

communication for the purposes of direct marketing by means of an automated call unless the particulars mentioned in paragraph 2(a) and (b) of Regulation 24 of the Regulations are provided with that communication.

67


28 February 2016

Advanced VoIP Solutions Ltd ("AVS")


The Commissioner subsequently established that AVS had instigated the sending of millions of nuisance calls.

The ICO issued an Enforcement Notice requiring AVS within 35 days to:

neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of an automated call unless the recipient of the automated call has previously notified AVS that he consents for the time being to such communications being sent by, or at the instigation of AVS; and

neither transmit, nor instigate the transmission of a communication for the purposes of direct marketing by means of an automated call unless the particulars mentioned in paragraph 2(a) and (b) of Regulation 24 of the Regulations are provided with that communication.

68


28 February 2016

Money Help Marketing Ltd ("MHM")


The Commissioner subsequently established that MHM had instigated the sending of millions of nuisance calls.

The ICO issued an Enforcement Notice requiring MHM within 35 days to:

neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of an automated call unless the recipient of the automated call has previously notified MHM that he consents for the time being to such communications being sent by, or at the instigation of MHM; and

neither transmit, nor instigate the transmission of a communication for the purposes of direct marketing by means of an automated call unless the particulars mentioned in paragraph 2(a) and (b) of Regulation 24 of the Regulations are provided with that communication.

29 February 2016

Prodial Ltd ("Prodial") Prodial was a company which generated leads in relation to individuals making a claim for a PPI refund.

Between 30 January and 4 September 2015, the Commissioner's office received 1,122 complaints via its online reporting tool. 719 of those reports were received after 6 April 2015.

The gist of the complaints was that a significant number of automated marketing calls had been received by subscribers in relation to claiming a PPI refund.

On further investigation, it was discovered that between 6 April and 21 August 2015, Prodial sent or instigated 40,204,838 automated marketing calls that were all connected.

A monetary penalty notice of £350,000 was issued. This is the largest fine ever issued by the ICO for a cold calling operation. The level of the penalty is intended to operate as a deterrent to other organisations engaging in similar unlawful direct marketing activity.

69

twobirds.com

Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number 0C340318 and is regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 15 Fetter Lane, London EC4A 1JP.

Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses and has offices in the locations listed on our web site: twobirds.com.

A list of members of Bird & Bird LLP, and of any non-members who are designated as partners and of their respective professional qualifications, is open to inspection at the above address.

Documents

International Data Protection Enforcement Bulletin …/media/pdfs/news/international...International Data Protection Enforcement Bulletin – April 2016 Enforcement tables by country