GDPR decisions – March 2021

Holst, Advokater | View firm profile

Decision delivered in France may greatly impact the option of legally using European subsidiaries with parent companies in the USA for hosting of data.

On 12 March 2021, the French supreme court for administrative justice (Conseil d’Etat) decided that personal data on a platform used for booking Covid-19 vaccinations, administrated by company Doctolib and hosted by Amazon Web Services, was sufficiently protected in case of any requests for access from the American authorities. The fact is that adequate legal and technical measures in respect of security had been established.

The fact that Amazon Web Service is subject to American law did not make the risk of American authorities’ access incompatible with the GDPR in accordance with the “Schrems II” decision delivered by the CJEU in July 2020.

The case was about individuals in France who were to be vaccinated against Covid-19, who through an online search could obtain a list of vaccination centres and book a vaccination directly online through the Doctolib platform, which is the result of a partnership between the French ministry for social affairs and health and various suppliers, including Doctolib.

For the purpose of saving data collected, Doctolib had entered into an agreement with Amazon Web Service Sarl in Luxemburg, a subsidiary of Amazon Web Services in the USA.

In consequence of the the Schrems II decision, among others, several healthcare associations and trade unions requested that the court should suspend the use of Doctolib and also order the ministry for social affairs and health to use another solution for the administration of the vaccination campaign.

The court concluded that the data transferred by Doctolib to the Luxemburg company, Amazon Web Services Sarl, were all hosted in data centres in France and Germany, and that the agreement entered into by the parties did not provide for any provision that data could be transferred to the USA.

Meanwhile, since Amazon Web Service Sarl is a subsidiary of a company subject to American law, the court assessed that Amazon Web Service Sarl in Luxemburg could, however, become exposed to requests for access from American authorities within the framework of American intelligence activities based on Article 702 of FISA (Foreign Intelligence Surveillance Act) or Executive Order 12333.

Hence, in continuance of the Schrems II decision, it was necessary to inspect the level of protection for processing personal data by taking into consideration both the legal guarantees, i.e. the provisions of the agreement signed between Doctolib and Amazon Web Service Sarl in Luxemburg, and the technical security measures by taking into consideration the category of the data involved.

In this case the court found that the level of protection was adequate due to the number of security measures in place.

Among others, the court noted the following:

  • that the agreement entered into between Doctolib and Amazon Web Service Sarl contained a procedure in the event of a foreign authority requesting for access to data, including that Amazon Web Service Sarl should challenge any general request for access from a foreign public authority,
  • that the data hosted by Amazon Web Service Sarl are encrypted, and the key is stored by a third party in France – not by Amazon Web Service Sarl – in order to prevent data being accessed by someone unauthorised,
  • that the data hosted only concerns the identification of individuals for the purpose of making appointments, and not sensitive personal data like for instance specific health declarations,
  • that data are erased three months after the vaccination, and the users have the option of erasing their data directly online, should they wish to do so.

On theses grounds the court found that the level of protection of the data stored was adequate in respect to the risk of each individual; hence, the court refused to order the French ministry of social affairs and health to cease the use of the platform.

The decision may have great impact for European businesses using American companies for hosting data through their European subsidiaries. Unlike the Schrems II case, the problem here is not that data is transferred to the USA, but rather that the data processor is a European subsidiary of an American parent company. By taking the necessary technical and legal measures, it will in future be legal to use European subsidiaries with American parent companies.

The press release linking to the decision may be accessed (in French) here:

Danish Agency of Family Law seriously criticised for lack of measures and lack of data processing agreements

Following 158 breaches pertaining to personal data, of which 130 were about unintended disclosure of personal data, including data on individuals with protection of family names and addresses, and 7 specific complaints about the processing of personal data by the Agency, the Danish DPA performed an inspection of the processing of personal data carried out the by the Agency of Family Law.

The focus of the inspection was to

  • inspect the security level of the Agency’s manual processing and handling of human sources of error,
  • inspect the security level of the Agency’s self-service solutions and the Agency’s guidelines for making anonymous any material being disclosed to other individuals and authorities.

By perusing the personal data breaches, the DPA found that in respect of the Agency’s self-service solutions, about 3,400 individuals’ personal data had been disclosed unintendedly.  This was due to a known technical error to a component that had been in operation for a number of years.

Although only few of the data processing carried out by the Agency of Family Law result in personal data breach, the DPA found several cases where the errors could have been easily avoided. This applies both in terms of tightening up the organisational measures implemented, but also in terms of assessing the risks of the data subjects.

The DPA also found that the way in which IT is supported and designed should be optimised.

Therefore, the DPA expressed serious criticism of the fact

  • that the Agency’s personal data processing has not been made in accordance with the rules provided for in Article 32, sub-clause 1 of the GDPR,
  • that the Agency had not observed the requirement for written data processing agreements in accordance with Article 28, sub-clause 3 of the GDPR, and
  • that there in another data processing agreement had not been made any written data processing instructions.

Read the whole decision her (in Danish):

Fine of EUR 300,000 in Germany for negligent violation

Football club VfB Stuttgart 1893 AG in Germany has been imposed with a fine of EUR 300,00 for not observing its obligations under Article 5, sub-clause 2 of the GDPR.

The data protection authority of Baden-Württemberg (LfDI) found that the football club had not complied with the basic principles of data processing, including the requirement for documentation on compliance.

Although the football club to a large extent assisted the DPA with the investigation, the violation was regarded negligent, the football club made significant organisational and technical improvements in respect of data protection, the football club in cooperation with the DPA took action to make the young people aware of data protection questions, the case – nevertheless – ended up with a fine being issued.

Please see the whole press release here (in German):

More from Holst, Advokater