GDPR decisions – July 2020

Holst, Advokater | View firm profile

Fine of approx. EUR 28,000 issued due to unlawful basis for processing

The Norwegian data protection agency has imposed a fine on a Norwegian importer of ceramic tiles, Odin Flissenter AS, amounting to approx. EUR 28,000 (NOK 300,000) for not having a lawful basis for processing data in connection with credit rating.

Odin Flissenter AS had carried out credit rating of a one-man business, with which Odin Flissenter AS had no customer relationship or other relation.

The Norwegian DPA stated that credit information about a one-man business is considered personal data since the owner is directly identified with the company and such is directly linked to the owner’s personal finances. This implies that there must be a lawful basis for the processing of any credit rating of one-man businesses.

The whole decision is available here:

https://www.dataguidance.com/news/norway-datatilsynet-fines-odin-flissenter-nok-300000-processing-data-without-lawful-basis

Danish hotel group reported to the police and should expect a fine of EUR 147,800 for failing to delete personal data

In connection with an inspection visit at Arp-Hansen Hotel Group A/S, the Danish DPA established that in particular a booking system contained many personal data that should have been deleted according to the hotel group’s own deletion deadlines. Furthermore, the DPA found that there were so-called customer profiles which – according to Arp-Hansen’s own deletion deadlines – should have been deleted several years earlier. In fact, the DPA estimated that about 500,000 customer profiles should have been deleted at the time of the inspection visit.

Personal data may only be processed for factual purposes and may only be stored for as long as necessary. Since the Arp-Hansen hotel group has not been able to provide factual reasons for the extensive retention of data, the DPA has reported the hotel group to the police and recommended that the hotel group be issued a fine of about EUR 147,800 (DKK 1,100,000) for failing to comply with the regulations under Article 5(1)(e) of the GDPR on storage limitation.

The whole decision is available here (in Danish):

https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2020/jul/arp-hansen-hotel-group-a/s-indstilles-til-boede

Schrems II decision on the transfer of personal data from the EU to the USA

Generally, personal data may be freely transferred within the EU (and a few pre-approved countries outside the EU) provided the provisions under the GDPR and provisions governing national personal data protection law are observed.

When transferring personal data to third countries (non-EU countries that are not pre-approved), there must be a legal basis for the transfer to ensure that the recipient country (third country) has equivalent personal data protection. Until now, one of the most used transfer methods to the USA has been the use of Privacy Shield.

Privacy Shield was an agreement between the EU and the USA under which companies in the USA could sign up to the scheme, thereby becoming subject to a number of additional requirements and rules to ensure the same high level of personal data protection as in the EU.

However, on 16 July 2020, the Court of Justice of the European Union delivered a judgment ruling that Privacy Shield is now invalid, and it therefore immediately ceases as a legal basis for transfers of personal data from the EU to the USA. Therefore, companies that have used Privacy Shield must immediately find a new legal basis for transfer if there continues to be a requirement for personal data being transferred to the USA.

In the same judgment, the Court of Justice of the European Union states that the EU Commission’s standard contractual clauses may continue to be used as a legal basis for transfer to third countries, including the USA. However, a company transferring data to a third country on the basis of the standard contractual clauses must ensure that protection of personal data in the recipient country broadly corresponds to the level of protection in the EU. In other words, an investigation must made of the recipient country’s legal system and level of personal data protection before the standard contract clauses may be applied. In future, there will be an increased focus on this, which is why companies are encouraged to seek legal assistance in case of any transfers to be made to “non-safe third countries” outside the EU.

 

 

More from Holst, Advokater