GDPR decisions – June 2020

Holst, Advokater | View firm profile

Publication of club magazines from the early 1980s found lawful

On 16 June 2020, the Danish Data Protection Agency (DPA) decided in a matter in which a citizen had complained about a sailing club that had posted three club magazines from 1981 and 1982 on the internet, thereby revealing information on the name, former address, age and a photo of the complainant, and the sailing club had refused to delete this information.

The DPA did not find grounds for criticising the sailing club for the publication of the club magazines and particularly considered the nature of the information, the age of the club magazines and the legitimate interest of the sailing club in safeguarding, protecting and informing about its history in a natural context, including being able to identify the persons who participated in the activities of the sailing club. In conclusion, no specific considerations were made in respect of the citizen which should take precedence over the legitimate interest of the sailing club in processing the data.

The legal basis for the sailing club to process the data was in line with Article 6 (1) lit. f of the GDPR.

The citizen, who now has a secret address, had vacated the address which appeared from the club magazine, upon which the DPA found that the former address was not particularly worthy of protection.

The whole decision is available here (in Danish):

Danish municipality subject to severe criticism for failing to notify data breach within 72 hours

By mistake, the Danish Municipality of Randers disclosed personal data of a protectionable nature on its website, including data such as name and address protection and information on children’s well-being, diagnosis and connection with special schools. The mistake involved 15 responses to hearing requests containing personal data being made publicly available on the municipality’s website.

The Municipality of Randers has informed that prior to a person submitting a response to a hearing request, the person is 3 times made aware that the response must not contain personal data of a confidential and sensitive nature. The person is also made aware that employees of the municipality read and remove personal data of a confidential and sensitive nature before the response to a hearing request is published, in the event a response to a hearing request contains this type of data. Following this, the Municipality of Randers stated that the reason for the incident was that a number of the employees of the municipality – when reviewing the responses – were not aware of which personal data were not to be included in the responses.

The responses to hearing requests were available on the municipality’s website during the period from 17 October 2019 at 09:52, where the first response was uploaded, and until 18 October 2019 at 21:00, where all the data were removed again from the municipality’s website. The municipality did not report the incident as a data breach to the DPA pursuant to the 72-hour deadline provided for in the GDPR, nor did the municipality comply with the requirements for the contents of such notification, nor the time for notifying the citizens involved.

The Municipality of Randers stated that the reason why the municipality did not report the breach to the DPA until 1 November 2019, was that the municipality lacked an overview of the scope of the incident.

In addition, the municipality also stated that at the time of notification, the municipality assessed that the risk pertaining to the data subjects’ rights was not that high that the persons involved needed to be notified about the incident. 

The whole decision is available here (in Danish):

Fine of EUR 75,000 issued in Spain for failure to delete personal data

On 9 June 2020, the Spanish Data Protection Authority (AEPD) issued a fine amounting to EUR 75,000 to global data, analytics, and technology company Equifax Iberica, SL when failing to delete personal data.

ID: 95245|113896|530 2/4

By email, the data subject had requested the deletion of his data, which Equifax Iberica refused to do, as it would require too many resources. This was considered a breach of the data subject’s right to erasure under the GDPR.

The whole decision is available here (in Spanish):

This is not the first time that Equifax challenges the provisions of the GDPR. Back in September 2018, Equifax Ltd. was fined GBP 500,000 by the British DPA (ICO) for failing to protect personal data of about 15 million Brits.

This decision is available here:

Twitter fined EUR 30,000 for failing to control cookies

Spanish AEPD has issued a fine of EUR 30,000 to Twitter for violating cookie rules.

In a Twitter cookie banner, it was provided for that by using the website’s services, the user would (implicitly) accept the cookie policy. However, there was no possibility of rejecting the use of ​cookies, nor giving the user the option of accessing management and configuration settings. AEPD added that in order to reject cookies, users had to click on a link at the bottom of the ​website.

An examination of the website showed that Twitter placed cookies on users’ devices as soon as the users accessed the website without them being able to prevent this.

In addition to the fine, Twitter has been ordered to change its procedures within a month.

The whole decision is available here (in Spanish):

ID: 95245|113896|530 3/4

The level of the fine is in line with AEPD’s fines in other cases, such as the case from October 2019, at which airline company Vueling Airlines was fined EUR 30,000 by AEPD because the airline company’s website forced users to give consent to cookies if they wanted to use the website. 

Please see Holst’s GDPR newsletter from October 2019 and the mention of this case here:

More from Holst, Advokater