On 17 June 2019 the president of Poland’s Personal Data Protection Office (UODO) issued the Communication on the List of Personal Data Processing Operations Requiring an Assessment of the Impact of Processing on the Protection of Personal Data. The legal basis for issuance of the communication is Art. 35(4) of the EU’s General Data Protection Regulation, under which each member state’s supervisory authority must establish and publish a list of the kinds of processing operations which are subject to the requirement for a data protection impact assessment. At the same time, the prior list, enclosed with the communication of 17 August 2018, was repealed. The new list reflects the opinion issued by the European Data Protection Board and covers personal data processing activities connected with offering of goods and services to data subjects or monitoring of their behaviour in multiple EU member states.
Category: privacy/personal data protection
Profiled ads on Google: Irish regulator calls the question
Ireland’s Data Protection Commissioner has commenced the first proceeding against the US giant Google since the General Data Protection Regulation entered into force. The case involves processing of users’ personal data for delivery of profiled ads.
The case was launched following numerous complaints, primarily from the makers of the Brave web browser, whose main selling point is built-in ad-blocking tools. The allegations against Google Ireland Ltd boil down to the issue of forwarding users’ personal data (particularly involving their online activity), without their knowledge, to an indefinite number of entities for the purpose of delivering profiled advertising materials.
British data protection authority imposes fine for recording patients without their knowledge or consent
We recently wrote about the first fine for noncompliance with the General Data Protection Regulation imposed by the president of Poland’s Personal Data Protection Office. Data protection authorities in other EU member states are also displaying notable initiative in conducting inspections and imposing fines. A few days ago the Information Commissioner’s Office in the UK imposed a fine of GBP 120,000 on a television production company for failing to provide adequate information to subjects who were filmed and recorded by devices at a healthcare facility, and failing to obtain their consent to film and record them. The case involved occurrences between July and November 2017—before the GDPR entered into force—but may nonetheless prove relevant for interpreting the obligations imposed on data controllers under the GDPR.
Is Poland’s catalogue of data processed for providing electronic services consistent with the GDPR principle of data minimisation?
On 3 April 2019 the President of Poland signed into law the GDPR Implementation Act (full name: Act Amending Certain Acts to Ensure Application of the General Data Protection Regulation). Among several issues addressed controversially in the GDPR Implementation Act are the requirement to express consent to profiling and the catalogue of types of personal data that may be processed by suppliers of online services. This catalogue is set forth in Art. 18(1) of the Electronic Services Act. The original draft of the GDPR Implementation Act provided for repeal of that section, but during the course of legislative work on the act it was decided to leave the catalogue in place. This solution may conflict with the GDPR.
Million-zloty fine for ignoring information obligation under GDPR
On 25 March 2019, the president of the Personal Data Protection Office announced the imposition of the first-ever fine in Poland for failure to comply with the EU’s General Data Protection Regulation. The fine is quite high (about PLN 1 million) and involves noncompliance with the information obligation by a company that harvested personal data—addresses and telephone numbers of individuals operating businesses—from publicly available sources and then processed the data.
YouTube, personal data, and freedom of expression: Is uploading films on the internet journalism?
We recently wrote about the relation between data protection regulations and freedom of expression in the context of the right to be forgotten. On 14 February 2019, in Buivids (C-345/17), the Court of Justice of the European Union issued another judgment on the impact of the journalism exception to the obligation to apply the former Data Protection Directive (95/46/EC). Even though the judgment was issued under the law prior to entry into force of the General Data Protection Regulation, it may be helpful in understanding the impact of freedom of expression on data protection under the GDPR.