Data Protection Newsletter - 18th Edition

Note to everyone:

We are pleased to announce an enhancement to our newsletter distribution process. Commencing next month, our newsletters will be delivered directly from us to your email to provide a more personalised experience.

To ensure uninterrupted receipt of our direct newsletters, we kindly request that current subscribers to our LinkedIn newsletters sign up with us directly.

Please CLICK HERE or follow the link below to maintain your connection with our latest updates and insights. You may unsubscribe at any time.

Subscribe

What caught our eye in November 2023

1. NOYB files GDPR Complaint against Meta over "Pay or Okay"

NOYB (a non-profit organisation for digital rights protection led by Max Schrems) lodged a complaint against Meta with the Austrian data protection authority. It says that the offer proposed by Meta to pay or agree to be “tracked” does not respond to the criteria of GDPR for the consent to be freely given.?

Meta proposes that consumers pay up to €251.88 annually to uphold their right to data protection on Instagram and Facebook. Not only is the cost unreasonable, but industry data suggests that only 3 percent of individuals prefer being tracked, while over 99 percent opt against paying a "privacy fee." If Meta succeeds in this approach, other companies are likely to follow suit. Considering the average phone has 35 apps, NOYB calculated that maintaining privacy on one phone could potentially cost around €8,815 per year.?

?Earlier this month, European Data Protection Authorities expressed their concerns regarding this new paid subscription model. Datatilsynet in Norway, which enforced the EDPB's binding decision on Meta through its own national decision, has already deemed the subscription model as non-compliant without consulting board members.?

2. EU: CJEU affirms individuals' right to have a free copy of their personal data

The CJEU has explained that the controller is under an obligation to provide the data subject, free of charge, with a first copy of his or her personal data undergoing processing, even where the reason for that request is not related to those referred to in the first sentence of recital?63 of that regulation.??

Recital 63 clarifies that the access right aims to inform individuals about and verify the lawfulness of data processing rather than serving as a tool for litigation.?

Examining Articles 12 and 15 of the GDPR, the CJEU notes that personal data access is generally cost-free (Article 12(5)), and individuals are entitled to a free initial copy of their data (Article 15(3)). The court emphasises that Recital 63 doesn't restrict the grounds for access requests, and individuals aren't obliged to provide reasons. The GDPR prioritises transparency, prohibiting controllers from restricting data access based on the purpose of the request.?

3. Spain’s AEPD fine Language College €90,000?

On November 17, 2023, the Spanish Data Protection Authority (AEPD) published its decision in Proceeding No. PS/00516/2022, in which it imposed a fine of €90,000?on Eurocollege Oxford English Institute S.L. (Eurocollege)?for violating the?General Data Protection Regulation (GDPR), following an individual's complaint.?

The complainant claimed that in 2022 they signed?a training contract with a school named Centro?De Estudios Aeronauticos, S.L. (CEAE)*. The AEPD highlighted that before being enrolled at the school, CEAE required the complainant to:?

• Undergo a medical check-up?and provide a?medical certificate;?
• Fill out a health declaration providing?personal health information; and?
• Provide a criminal record certificate.?

Subsequently, the complainant filed a complaint against CEAE?on the basis that the requested personal data was unnecessary and excessive.?

The AEPD found that the personal data requested by CEAE was neither necessary nor a legal requirement by the?State Aviation Safety Authority (AESA), which regulates schools such as CEAE.?The AEPD determined that CEAE had violated Article 6(1) of the GDPR by processing the complainant's personal data without a legal basis. Additionally, the AEPD found that CEAE had failed to comply with the data minimisation principle under Article 5(1)(c) of the GDPR. Furthermore, the AEPD stated?that CEAE's collection of health data from the complainants was neither proportional nor necessary, contrary to?Article 9(2) of the GDPR.?

* The AEPD noted that?Eurocollege had absorbed CEAE in 2023 through a?merger and therefore, Eurocollege was the responsible party for the purpose of the investigation.?

The Moral of the story is...

Case Study 5 (from Annual Report 2022) - Access and Erasure request (Pinterest)?

What Happened??

The person asked for a copy and deletion of their personal data after their account was suspended for spamming by Pinterest. The Data Controller sent an automated reply to this request saying they checked the account and found spam activity, so they would not restore it. As a result, the individual was no longer able to access the personal data stored on their account.??

After The DPC took up the complaint, Pinterest informed that once an account is suspended on the basis of a spam violation, all correspondence is automatically directed to its Spam Operations team. The latter failed to identify that the correspondence also included the individual’s access and erasure requests, and therefore this was not addressed in its response.?

As a result of the complaint consideration, Pinterest updated spam policies, the individual’s account was reactivated, and their request for data access and erasure was actioned.?

What does it mean for my organisation??

This case study illustrates how often simple matters – such as a complaint being forwarded to the wrong unit in an organisation – can become data protection complaints if the matter is not identified appropriately.?

The right to erasure, also known as the right to be forgotten, gives individuals the right to ask organisations to delete their personal data. According to GDPR, there are particular situations in which this right is applicable. A person is entitled to have their personal information deleted if:??

1. Their personal data?are no longer necessary in relation to the purpose for which it was collected or processed;?

1. They withdraw consent to the processing, and there is no other lawful basis for processing the data.?
2. They object to the processing, and there is no overriding legitimate grounds for continuing the processing.?
3. Their personal data have been unlawfully processed.?
4. Their personal data have to be erased in order to comply with a legal obligation.?
5. Their personal data have been collected in relation to the offer of information society services (e.g. social media) to a child.?

There are exceptions when right to erasure can be satisfied:?

• Exercising the right of freedom of expression and information.?
• Compliance with a legal obligation, the performance of a task carried out in the public interest or in the exercise of official authority.?
• Reasons of public interest in the area of public health.??
• Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.?
• Establishment, exercise or defence of legal claims.?

Like a data subject access request, a data erasure request also has a deadline that the data controller must follow. The GDPR says “without undue delay”, which data protection authorities interpret as no more than a month. This means your company must inform the individual within this period whether you have deleted their data or not.?

In practice, your business models should have clear policies and procedures, and train your employees, to avoid overlooking any data erasure requests.?

Tales from the coalface?

A key challenge of the GDPR is to clearly identify the roles of all parties involved in data processing. We often get inquiries from our clients about how to handle situations where there is more than one data controller, either as joint or independent controllers.?

Who are joint data controllers??

A joint data controller is a party that, together with others, decides the purposes and means of personal data processing. A key factor is that both parties are essential for the processing, meaning that their roles are inseparable or inextricably linked. The joint participation must involve both the purpose and the means of the processing. If one of them does not determine the means or the purpose, it can be not the joint controller but the independent one or even the data processor.?

?The assessment of joint controllership?

As EDPB explains in its guidelines, joint controllership should be based on a factual, not a formal, analysis of how the purposes and means of the processing are influenced. All current or planned arrangements should be verified against the facts of the relationship between the parties. A formal criterion alone would not work for two reasons: sometimes, there is no formal joint controller - set by law or contract; other times, the formal joint controller does not match the real arrangements by giving the controller role to an entity that cannot “decide” the purposes and means of the processing.?

Joint data controllers’ agreement?

Joint controllers must transparently agree and define their respective responsibilities for complying with the GDPR obligations. This should especially cover the rights of data subjects and the information duties. Moreover, the distribution of responsibilities should also include other controller obligations such as data protection principles, legal basis, security measures, data breach notification obligations, data protection impact assessments, the use of processors, third country transfers and contacts with data subjects and supervisory authorities.??

Each joint controller has a responsibility to make sure that the processing of the data is lawful and that it is not done in a way that is inconsistent with the original purposes for which it was collected by the controller sharing the data.?

Ambit Compliance is ready to help if you wish to understand your controllership status and formalise this in terms of contracts or agreements.??

Contributors to this newsletter:?

Gillian Traynor and Anastasia Kazankina?