France: CNIL fines Google (100 mio EUR) and Amazon (35 mio EUR) over cookies, trackers and privacy notices

On 7.12.2020 the CNIL fined total o 135 million Euro – Google LLC (60 Mio.), Google Ireland (40 Mio.) and Amazon (35 Mio.)

Press release in English:

SWeden: DPA audited eight healtcare providers, fines seven (up to 3 mio EUR)

The Data Inspectorate has now completed an inspection of eight care providers. What has above all been examined is whether the care providers have carried out the needs and risk analysis required to be able to give the staff the right access to personal data in the main medical record systems.

– Caregivers must make a careful analysis and assessment of what staff’s needs are for information in the medical record systems and what risks there are if staff have access to patient data. Without such an analysis, care providers cannot assign the staff the right qualifications, which in turn means that the operations cannot guarantee patients the privacy protection they are entitled to, says Magnus Bergström, who is the coordinator for the eight reviews.

The Data Inspectorate states that seven of the care providers have not carried out a needs and risk analysis, while one care provider has carried out an analysis which, however, has certain shortcomings.

The authority also states that seven of the care providers do not limit the users’ permissions for access to the respective medical record system to what is only needed for the user to be able to fulfill his or her duties.

This means that the seven care providers have not taken sufficient measures to be able to ensure and demonstrate an appropriate security for the personal data in the medical record systems.

https://www.datainspektionen.se/nyheter/brister-i-hur-vardgivare-styr-personalens-atkomst-till-journaluppgifter/ with links to details of the specific cases

Belgian DPA to Take Down Websites Infringing GDPR

On November 26, 2020, the Belgian Data Protection Authority (“Belgian DPA”) signed a cooperation agreement with DNS Belgium, the organization managing the “.be” country code top-level domain name. The purpose of the cooperation agreement is to allow DNS Belgium to suspend “.be” websites that are linked to infringements of the EU General Data Protection Regulation (the “GDPR”).

https://www.huntonprivacyblog.com/2020/12/03/belgian-dpa-to-take-down-websites-infringing-gdpr/

France: CNIL sanctions on Carrefour

Sanctions of 2,250,000 euros and 800,000 euros for the companies CARREFOUR FRANCE and CARREFOUR BANQUE

Announcement:
https://www.cnil.fr/fr/sanctions-2250000-euros-et-800000-euros-pour-carrefour-france-carrefour-banque

Délibération de la formation restreinte n° SAN-2020-008 du 18 novembre 2020 concernant la société CARREFOUR FRANCE
https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042563756

Délibération de la formation restreinte n° SAN-2020-009 du 18 novembre 2020 concernant la société CARREFOUR BANQUE
https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042564657

Pursuant to decisions n o 2019-081C of April 24, 2019 and n o 2019-102C of June 6, 2019 of the President of the Commission, five controls were carried out online or at the company’s premises:
– an online check, carried out on May 24, 2019, relating to the carrefour.fr site and the processing carried out from this site;
– an on-site check, carried out on May 28, 2019, relating to the processing carried out by the company CARREFOUR FRANCE, in particular as part of the Carrefour loyalty program (hereinafter the loyalty program), as well as the various databases that ‘she used for the management of her clientele;
– an on-site check, carried out on June 11 and 12, 2019, relating to the exercise of rights and to the responses provided to several complainants who have referred a complaint to the CNIL against the company;
– an on-site check, carried out on June 26 and 27, 2019, focusing more particularly on the management of personal data as part of the loyalty program;
– an on-site check, carried out on July 11, 2019, relating to the security measures developed by CARREFOUR FRANCE to protect the personal data it processes and the data breaches that have occurred.

On the second point, the restricted committee notes, first of all, that the company recognizes a delay in the implementation of its data erasure program but underlines the significant efforts made since the initiation of the procedure to bring itself into compliance. The restricted committee noted that the delegation of control noted the presence of data concerning customers who had been inactive for more than four years, and in particular more than twenty-eight million customers who were members of the loyalty program who had been inactive for five to ten years. With regard to users of the carrefour.fr site, the restricted training emphasizes that the data of more than 750,000 users whose act of purchase dated back five to ten years was kept, and nearly 20,000 users including the last purchase dated back over ten years.<(i>

Triggered by several complaints, the CNIL sanctioned two companies of the CARREFOUR group for breaches of the RGPD concerning in particular the information delivered to the people and the respect of their rights.

Having received several complaints against the CARREFOUR group, the CNIL carried out checks between May and July 2019 with the companies CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). On this occasion, the CNIL noted shortcomings in the processing of customer and potential user data. The President of the CNIL therefore decided to initiate a sanctioning procedure against these companies.

At the end of this procedure, the restricted committee – the CNIL body responsible for pronouncing sanctions – effectively considered that the companies had failed to meet several obligations under the GDPR.

It thus sanctioned the CARREFOUR FRANCE company with a fine of 2,250,000 euros and the CARREFOUR BANQUE company with a fine of 800,000 euros. On the other hand, it did not issue an injunction when it noted that significant efforts had made it possible to bring all the breaches identified into compliance.

Breaches of the obligation to inform individuals (article 13 of the GDPR)
The information provided to users of the carrefour.fr and carrefour-banque.fr sites as well as to people wishing to join the loyalty program or the Pass card was not easily accessible (access to information too complicated, in very long containing other information), nor easily understandable (information written in general and imprecise terms, sometimes using unnecessarily complicated formulations). In addition, it was incomplete with regard to the duration of data retention.

Concerning the carrefour.fr site, the information was also insufficient with regard to data transfers outside the European Union and the legal basis for processing (files).

On this point, the companies modified their information notices and websites during the procedure in order to comply.

Breaches relating to cookies (article 82 of the Data Protection Act)
The CNIL noted that, when a user connects to the carrefour.fr site or the carrefour-banque.fr site, several cookies were automatically placed on his terminal, before any action on his part. Several of these cookies are used for advertising, however the user’s consent should have been collected before filing.

The companies modified the way their websites function during the procedure. No advertising cookies are now deposited before the user has given their consent.

A breach of the obligation to limit the retention period of data (article 5.1.e of the GDPR)
The CARREFOUR FRANCE company did not respect the data retention periods that it had set. The data of more than twenty-eight million customers who had been inactive for five to ten years were thus kept as part of the loyalty program. The same was true for 750,000 users of the carrefour.fr site who had been inactive for five to ten years.

In addition, in this case, the restricted committee considers that a retention period of 4 years for customer data after their last purchase is excessive. Indeed, this duration, initially adopted by the company, exceeds what appears necessary in the field of mass distribution, taking into account the consumption habits of customers who mainly make regular purchases.

During the procedure, the company CARREFOUR FRANCE has committed significant resources to make the necessary changes to bring it into compliance with the GDPR. In particular, all data that is too old has been deleted.

A breach of the obligation to facilitate the exercise of rights (article 12 of the GDPR)
The CARREFOUR FRANCE company required, except for opposition to commercial prospecting, proof of identity for any request to exercise rights. This systematic request was not justified since there was no doubt about the identity of the persons exercising their rights. Furthermore, the company was not able to process several requests for the exercise of rights within the time limits required by the GDPR.

On these two points, the company changed its practices during the procedure. In particular, it has deployed significant human and organizational resources to respond to all requests received within a period of less than one month.

Failure to respect rights (articles 15, 17 and 21 of the RGPD and L34-5 of the Postal and Electronic Communications Code)
First of all, the CARREFOUR FRANCE company did not respond to several requests from people wishing to access their personal data. The company approached all the people concerned during the procedure.

Then, in several cases, the company did not proceed with the erasure of data requested by several people when it should have done so. On this point also, the company granted all the requests during the procedure.

Finally, the company did not take into account several requests from people who objected to receiving advertising by SMS or email, in particular due to occasional technical errors. The company became compliant during the procedure on this point as well.

A breach of the obligation to process data fairly (Article 5 of the GDPR)
When a person subscribing to the Pass card (credit card that can be attached to the loyalty account) also wished to join the loyalty program, he had to tick a box indicating that he accepted that CARREFOUR BANQUE would communicate his name to “Carrefour loyalty”, their first name and e-mail address. CARREFOUR BANQUE explicitly indicated that no other data was transmitted. The CNIL however noted that other data were transmitted, such as the postal address, the telephone number and the number of its children, although the company had undertaken not to transmit any other data.

On this point, the company changed its practices during the procedure. It has completely overhauled its online subscription process for the Pass card and people are now informed of all the data transmitted to CARREFOUR FRANCE.

Questionnaires used by German DPA in their cookie sweep

.. as well as background information at

https://fragdenstaat.de/anfrage/landerubergreifende-datenschutz-prufung-zu-tracking-technologien-5/

Deep link to the questionnaire as a PDF:
https://fragdenstaat.de/anfrage/landerubergreifende-datenschutz-prufung-zu-tracking-technologien-5/515289/anhang/Fragebogen_konvertiert.pdf

Some discussuion at:
https://www.datenschutz-guru.de/fragebogen-der-aufsichtsbehoerden-pruefung-des-einsatzes-von-tracking-diensten-auf-webseiten-bei-medienunternehmen/

Germany/Saarland: Privacy inspection questionnaires

.. in German

The DPA Saarland uses four questionnaires:
– interesting questions incl. on various concepts (data deletion, encryption, pseudonymization, risk evaluation/model, privacy management, ..)

https://fragdenstaat.de/anfrage/fragebogen-zur-prufung-des-datenschutzes-15/

Key points from the Accountability questionnaire (GDPR Art 5 (2))

  • (Translation, highlights by myself)
    Accountability Review
    according to Art. 5 Para. 2 GDPR
    Responsible:
    Posted December 04, 2018
    Case number:

    We kindly ask you to answer the following questions in full and send the requested documents based on Art. 58 GDPR by January 31, 2019 at the latest.

    Basic concept

    1. Is there a data protection guideline(/policy/directive) in the company?
      • Yes. Please send us a copy of the guideline.
      • No.
    2. Has a data protection officer been appointed and reported to the supervisory authority?
      • Yes. ____________________________________
      • No.
    3. What are the tasks of your data protection officer in this function (short description)?
    4. Does the data protection officer perform other functions in or for the company?
      • Yes. Please describe them briefly.
      • No.
    5. If there are several locations or branches of the company, are these integrated into a uniform data protection concept?
      • Yes. Please send us a copy of the data protection concept.
      • No.
    6. Do these locations or branches independently decide on the purposes and means for processing personal data?
      • Yes.
      • No.
    7. Are internal responsibilities with regard to data protection-relevant processes or procedures (e.g. training of employees, reporting of data protection violations, …)?
      • Yes. Please send us a copy of the written specifications.
      • No.
    8. Are there rules for internal controls to ensure compliance with data protection regulations?
      • Yes. Please send us a copy of these rules.
      • No.
    9. Please describe briefly how the company is dealing with inputs by the data protection officer (e.g. reports, statements or similar)

      List of processing activities (Art. 30 GDPR)

    10. Is there a complete list of processing activities?
      • Yes. Please state the number of processing activities.
      • No. Please give the reason.
    11. Please describe the method used (e.g. purpose, means, process, IT system, …) to determine the individual processing activities.
    12. Please describe the rules on how the directory of processing activities is managed (e.g. updates or with regard to change history and powers, etc.).

      Uniform risk model

    13. Is there a document that provides a company-wide understanding of data protection risk?
      • Yes. Please send us a copy of this document.
      • No.
    14. Please describe how, in your opinion, the damage to the rights and freedoms of natural persons should be understood when evaluating data protection risk.
    15. Please describe which scales are used to model the likelihood of occurrence and severity of a data protection risk in the company.
    16. Please describe how you ensure that all relevant positions understand the difference between the corporate risk (focus: corporate values) and a data protection risk (focus: rights and freedoms of natural persons).
    17. Is the risk model known to those responsible for data protection as well as the company data protection officer and the information security officer?
      • Yes.
      • No.

      Privacy compliant data processing

    18. Is there a documented legal basis for the processing of personal data for every processing activity according to Art. 30 GDPR?
      • Yes.
      • No. Please give the reason.
    19. Is there a documented legitimate interest assessment if processing is based on a “balancing of interests” according to GDPR Art. 6 Para. 1 lit. f?
      • Yes.
      • No. Please give the reason.
    20. Are consents within the meaning of Art. 4 No. 11 GDPR designed in accordance with the requirements of Art. 7 GDPR and can they be withdrawn at any time?
      • Yes.
      • No. Please give the reason.
    21. Describe the contexts in which the data subject’s consent is obtained.
    22. Send appropriate samples of the declarations of consent you are using.
    23. Has a threshold value analysis (i.e. risk assessment) been carried out for each processing documented in the directory according to Art. 30 GDPR to prepare the question of whether a data protection impact assessment has to be carried out?
      • Yes.
      • No. Please give the reason.
    24. Please name the processing activities for which you have determined the need to carry out a data protection impact assessment in accordance with Art. 35 GDPR and provide us with the documented results of the data protection impact assessments.
    25. Is there a deletion concept (e.g. according to DIN 66398) that also regulates the handling of archives and backups?
      • Yes. Please send us a copy of this concept.
      • No. Please give the reason.
    26. Are adequate measures in place to ensure confidentiality, integrity and availability according to GDPR Art 32?
      • Yes. Please send us the security concept.
      • No. Please give the reason.
    27. Is there a process (Plan-Do-Check-Act) to ensure the effectiveness of the measures under Art. 32 GDPR?
      • Yes. Please send us a description of this process.
      • No. Please give the reason.
    28. Please describe how Privacy by Design is conceptually implemented in accordance with Art. 25 Para. 1 GDPR, taking particular account of the principles of data minimization and compliance with the purpose limitation in the processing activities in the company.
    29. Does a uniform audit methodology apply to audits by the data protection officer?
      • Yes. Please send us copies of the last two audit reports.
      • No. Please give the reason.
    30. Please describe how it is ensured that processors are selected in accordance with Art. 28 GDPR on the basis of a suitable risk model and effective technical and organizational measures based on them (in accordance with Art. 25 Para. 1 GDPR).
    31. Please describe how it is ensured that (for sub-processing) the legal basis of the so-called second level for data transfers to third countries is correctly designed.
    32. Is there a uniform encryption concept?
      • Yes. Please send us a copy of the written specifications.
      • No. Please give the reason.
    33. Does a uniform pseudonymization concept exist?
      • Yes. Please send us a copy of the written specifications.
      • No. Please give the reason.
    34. Are there processing activities in the company for which there is a joint controllership pursuant to Article 26 GDPR?
      • If yes, please describe this processing in key words and submit the corresponding agreements on joint responsibility for two of these processing processes.
      • No.

      Dealing with data subject rights

    35. Has a process been implemented to deal with information claims under Art. 15 GDPR?
      • Yes. Please describe this process.
      • No. Please give the reason.
    36. Please describe how it is ensured that the personal data of those affected can be quickly and completely available from all existing systems and, if applicable, branches.
    37. Are data subjects transparently informed about all processing activities documented in the directory according to Art. 30 GDPR in accordance with Art. 12 ff. And, if applicable, Art. 21 GDPR?
      • Yes.
      • No. Please give the reason.
    38. Has the website (s) been revised since May 25, 2018 in such a way that they are sufficiently informed about the data processing (the website) in accordance with Art. 13 GDPR?
      • Yes.
      • No. Please give the reason.

      Please send us a complete list of all domain names for your company.

    39. Has a procedure been implemented to ensure compliance with the deadlines regarding the rights of the data subjects pursuant to Art. 14-22 GDPR?
      • Yes. Please describe this procedure.
      • No. Please give the reason.
    40. Has a procedure been implemented to respond to requests from data protection supervisory authorities regarding data protection complaints received there?
      • Yes. Please describe this procedure.
      • No. Please give the reason.
    41. Are training documents available with which the persons who are involved in the processes to ensure the rights of those affected are properly informed?
      • Yes. Please send us a copy of these documents.
      • No. Please give the reason.
    42. Have you considered how to respond to a data subject’s application for data portability in accordance with Art. 20 GDPR? If necessary, please describe your considerations.
    43. Have you already made such an application?
      • Yes.
      • No.

      Dealing with data protection violations

    44. How many data protection violations according to Art. 33 GDPR have you become aware of since May 25, 2018 and how many of them have been reported to the supervisory authority or only documented within the meaning of Art. 33 Para. 5 GDPR?
    45. Please describe how data protection violations are recognized in the company according to Art. 33/34 GDPR.
    46. ​​Please describe how you can identify, document and process data protection violations that occur with service providers (also in third countries).
    47. Does the risk model for classifying data protection risk also apply to data protection violations according to Article 33/34 GDPR?
      • Yes.
      • No. Please give the reason.
    48. Describe the process in the event that a high risk for data subjects is identified in the event of data protection violations.
    49. Describe to what extent it is guaranteed that data protection violations will be reported to the responsible supervisory authority within 72 hours (including on weekends / public holidays).
    50. Has it been clarified and documented at which positions in the company the registration period of 72 hours starts?
      • Yes. Please tell us these places: _______________________
      • No. Please give the reason.