European Supermarket Chain may face inspection over new fingerprinting system

Belgian data protection authority, Gegevensbeschermingsautoriteit, may launch an investigation into supermarket chain Carrefour’s fingerprint payment system.


Theres no denying that we currently live in a fast paced, highly technological era. One which constantly ushers in new means of identifying individuals and processing digital paymentsall geared towards increased convenience. At this stage, thanks to mobile phone advances, fingerprinting may very well be one of the more widely used means of identification but its uses are certainly not confined merely to mobile devices. In fact just this week, one of Europes largest supermarket chains, Carrefour, announced that it will organise a pilot project allowing clients to pay for their groceries with their fingerprints in a store in the centre of Brussels.  



A report from the Brussels Times explains that the Carrefour pilot project will enable clients to pay by scanning their finger at the cash register, after which the money will disappear from their bank account. And while this may result in faster check out times and a more convenient means of shopping there are undoubtedly privacy and security risksrisks which the Belgian data Protection authority would not only like consumers to be aware of but which may warrant and lead to an investigation by the DPA.


Referencing a report from De Standaard,  the Brussels Times presented the following comment from David Stevens, president of the GBA;


We asked Carrefour a few questions and discovered that a test had already taken place . . . It turned out that Carrefour had already collected fingerprints. Now that weve heard the news about the new experiment with fingerprint payments, theres a good chance well send our inspectors. I cannot yet formally confirm that we will do that, but I think there is a good chance.


….that is more than just a signature on paper. Customers really have to understand the risks. If, through hacking, your password falls into the wrong hands, you can replace it. But you cannot just change your fingerprint, face or the iris of your eye. Hence the strict rules,Stevens is further reported to have said.


Fingerprint risks are covered by GDPR Article 30, which generically refers to online identifiers, which means data protection rules directly apply to fingerprint. This is because fingerprinting constitutes the use of biometric datai.e a way to measure a persons physical characteristics to verify their identity. Biometric data is therefore personal data which must be processed on a lawful basis in compliance with GDPR and the UKs Data Protective Act.


Does your company utilize biometric data such as fingerprinting, voiceprinting and facial recognition? If yes, failure to adhere fully to the guidelines and rules of the GDPR and Data Protection Act 2018 could result in a hefty financial penalty. Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. Contact us today.




ICO launches consultation on the draft direct marketing code of practice

Public consultation for the UK draft direct marketing code of practice is now open.

Earlier this month the ICO launched a public consultation on its draft direct marketing code of practice.  This draft code has been produced in accordance with section 122 of the Data Protection Act 2018.

According to the ICO, the draft code of practice aims to provide practical guidance and promote good practice in regards to processing for direct marketing purposes in compliance with data protection and e-privacy rules. The ICO further notes that The draft code covers the legislation as it currently stands which for e-privacy means the Privacy and Electronic Communications Regulations 2003 (PECR).

Who is the code applicable to?

The code applies to any business which processes personal data for direct marketing.

Directing marketing is expounded by the ICO to include the promotion of aims and ideals as well as advertising goods or services. Any method of communication which is directed to particular individuals could constitute direct marketing. Direct marketing purposes include all processing activities that lead up to, enable or support the sending of direct marketing,says the ICO.

Draft Direct Marketing code of practice overview:

The code provides guidance in regards to:

Planning marketing activities – Data protection by design
Generating leads and collecting contact details
Profiling and data enrichment
Sending direct market messages
Online advertising and new technologies
Selling or sharing data
Individual rights

The ICO notes that by following the code along with along with other ICO guidance will enable companies to comply with the GDPR and PECR.

The public consultation on the draft code will remain open until 4 March 2020.

Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments and Data Protection Officer outsourcing.  Contact us today.

ICT regulation 2020

ICT Regulation in 2020: What to expect? An Aphaia Perspective


Aphaias Managing Partner Bostjan Makarovic and Partner Cristina Contero Almagro weigh in on ICT regulation in 2019 and offer their predictions and hopes for 2020.


To say it has been an eventful 2019 for data protection, ICT Governance and ePrivacyspecifically within the EU and United Kingdomwould be an understatement. Indeed, with 2019 being the first full year with the GDPR, it proved to be a year of lessons, policy implementations, new developments, court rulings and fines all centred on honouring the privacy and rights of individuals in todays highly technical, online based era. In fact, Privacy Affairs reports a total of 150 fines totaling 103,852,871 for the year, with a 50 million sanction on Google being the largest fine of the year.


So, with 2019 winding down to give way to 2020, we sat down with Aphaias Managing Partner Bostjan Makarovic and Aphaia Partner Cristina Contero Almagro for their professional insights on the year passed and their expectations and projections for 2020.


From a data protection and AI ethics standpoint How would you describe 2019? What would you pinpoint as two of the most impactful occurrences in regards to ICT regulation in the year just past?


Bostjan: 2019 has been the year when the topic of AI seems to have found a special place in the EU’s regulatory landscape. In addition, important new practical questions on the intersection of privacy and AI regulation have emerged, say in relation to smart billboards.


Cristina: AI Ethics standpoint: I would say 2019 has been a turning year. On 8 April 2019, the High-Level Expert Group on AI presented their Ethics Guidelines for Trustworthy Artificial Intelligence, which was part of a series of four documents. In April we also became members of the European AI Alliance, a multi-stakeholder forum for engaging in a broad and open discussion of all aspects of AI development and its impact on the economy and society, which allows us to interact with the AI-HLEG. The first AI Assembly took place on 26th June in Brussels and we were invited to attend, so we did. The Policy and Investment Recommendations on AI and the piloting process of the AI Ethics Guidelines were launched at this event. This year has also been the year of our YouTube channel, and we hope to keep working on our vlogs during 2020.


Data protection standpoint: 2019 has been the first whole year with the GDPR, as it started to apply in May 2018. We have been able to learn from the fines and the guidelines launched both from Member States DPAs and EU bodies, as the EDPB. One of the most expected event of this year was the publication of the cookies guidance from DPAs (ICO in UK, AEPD in Spain, CNIL in France, etc.), although we will still have to wait for the new ePrivacy Regulation.



As we look ahead to 2020, from your analysis what are some expectations? Do you foresee any changes or implementations that would be have a big effect on the way businesses operate?


Cristina: I personally hope that EU Guidelines rise awareness of the importance of ethics, and that this addresses the approval of code of conducts for the industry. We also expect a revised ePrivacy Regulation proposal as part of the forthcoming EU Croatian Presidency. 


It would be also great to see how 2020 becomes the year of 5G, as it will definitely impact the way we do businesses, and our lives as such, plus it is closely linked to data protection and AI Ethics. There is a lot of work to do there. It is challenging and we are looking forward to this becoming a reality. Smart cities, self-driving cars, AR… there is a whole world outside waiting for 5G!


We cannot forget about Brexit, that may severely impact data protection and AI ethics across Europe.


Bostjan: In the second half of 2020, the new European Electronic Communications Code (EECC) will directly affect both communications services and telecoms infrastructure providers across the EU. I am also wondering whether in 2020 European Commission might seriously start looking into the possibility of a mandatory regulatory framework for AI, in addition to that of GDPR.



What advice would you give to online businesses and companies utilizing AI to ensure they get on top of the changes coming in 2020?


Cristina: With no doubtsThey should contact Aphaia! (just kidding). What I would advise that they look at the past and hear their customers. Look at the past because, with the example of GDPR for instance, it is easy to see how costly not doing the right thing from the beginning is, and hearing their customers, because the audience is demanding trustworthy AI, and they may not see a negative impact of not providing it for now, but it is just a matter of time, ‘adapt or die’.



Bostjan: As Cristina pointed out, getting timely compliance advice is crucial. GDPR requirement for ‘data protection by design and by default’ already requires businesses to look into privacy matters at the point of the development of the product, not once it has been finalised or even launched. In the second half of 2020, many online businesses providing voice, chat or messaging platforms will also need to ensure they comply with the EECC.



Do you need assistance in ICT policy or regulation? Aphaia provides  GDPR and UK Data Protection Act 2018 consultancy services, data protection impact assessments,  Data Protection Officer outsourcing , AI ethics assessments and telecoms policy and regulation consultancy services.


Dictamen del CEPD sobre el borrador requisitos para la acreditación de un organismo supervisor de los códigos de conducta

EDPB issues opinion on UK Supervisory Authority draft accreditation for a code of conduct monitoring body

On December 2nd, the European Data Protection Board (EDPB) adopted its opinion on the UK data protection Supervisory Authority draft accreditation requirements for a code of conduct monitoring body.

Earlier this year, the United Kingdom Supervisory Authority (UK SA) submitted its draft decision containing the accreditation requirements for a code of conduct monitoring body to the EDPB for assessment and opinion. This is inline with the GDPR provisionsArticle 64which renders the EDPB responsible for ensuring the consistent application of the GDPR when a supervisory authority intends to approve a code of conduct. Two weeks ago, the EDPB adopted its opinion on the UK SA draft accreditation requirements.

The opinion aims to ensure consistency and the correct application of requirements among EEA Supervisory Authorities.

Codes of Conduct and the GDPR

An ICO document explains that under the GDPR trade associations and representative bodies may draw up codes of conduct that cover topics that are important to their members. These topics, the ICO offers, can include fair and transparent processing, pseudonymisation or the exercise of peoples rights. The ICO adds that while codes of conduct are not mandatory under the GDPR, they are a good way of developing sector-specific guidelines to help with compliance with the GDPR.

EDPB Opinion Summary

Upon assessment, the EDPB concluded that the draft accreditation requirements of the UK SA may lead to inconsistent application of the accreditation for monitoring bodies.As such several recommendations and changes to the draft accreditation requirements were proposed by the EDPB. These recommendations include that the UK SA provides clarification on the requirements for accountability and offers more examples of the kind of evidence that the monitoring bodies can provide.

Next steps?

The EDPB Opinion document notes that according to Article 64 (7) and (8) GDPR, the supervisory authority shall communicate to the Chair by electronic means within two weeks after receiving the opinion, whether it will amend or maintain its draft decision. Within the same period, it shall provide the amended draft decision or where it does not intend to follow the opinion of the Board, it shall provide the relevant grounds for which it does not intend to follow the opinion, in whole or in part. The supervisory authority shall communicate the final decision to the Board for inclusion in the register of decisions which have been subject to the consistency mechanism.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR and UK Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.