CNIL provides further guidance on collection of personal data by employers in the context of COVID-19 pandemic.

CNIL provides further guidance for employers, in the context of the global pandemic, on the collection of personal data.


In the context of the health crisis brought on by the spread of the coronavirus, many authorities and organisations have been providing as much help and guidance to relevant agents, in navigating the current situation and continuing business during the pandemic. We are collectively at the point of the pandemic where it has been established that life must go on and organisations and businesses are trying to establish some sort of normalcy to facilitate business continuity. The CNIL recently released a document, providing guidance which may aid employers in navigating the current atmosphere in the workplace with regard to the coronavirus-related health crisis.

Employers are obligated to ensure the safety of their employees.

it is the employer’s responsibility to implement measures to prevent occupational risks and information and training actions, as well as to ensure that work organization and resources are adapted to working conditions. Employers are encouraged to remind their employees, working in contact with other people, of their obligation to report individually in the event of contamination or suspected contamination, to them or to the competent health authorities, for the sole purpose of enabling them to adapt working conditions.

CNIL provides guidance to employees as well, on navigating working through the pandemic.


Employees are responsible for preserving their own health and safety and also that of the people with whom they may come into contact during their professional activity. Under normal circumstances, employees who are home sick, typically need only to communicate the terms (usually length) of their sick leave. However, in a context of a pandemic such as that of COVID-19, an employee who works in contact with other people (colleagues and the public), each time he has been able to expose some of his colleagues or for example clients, to the virus, must inform his employer in the event of contamination or suspicion of contamination with the virus. If this employee works in isolation or teleworks, they need not provide this information.

How does the GDPR say that health data should be processed?

Employers can only process health data necessary for the satisfaction of their legal and contractual obligations, that is to say necessary to take organizational measures (teleworking, referral to the occupational doctor, etc.), training and information, as well as certain actions to prevent occupational risks. For this reason, only elements of data linked to the date, to the identity of the person, to the fact that they have indicated to be or suspected of being contaminated, as well as the organizational measures taken, should be processed by the employer. The employer may communicate to health officials, the elements necessary for a possible health or medical care of the exposed person. However, under no circumstance is the employer to identify or communicate any personal info about the likely infected person to other employees.


In developing and implementing company protocol, employers cannot take measures likely to disproportionately infringe on the privacy of employees, or other data subjects, in particular through the collection of health data, that would go beyond managing suspected exposure to the virus to protect employees and the public. In order to be processed, the use of the data must necessarily fall within one of the exceptions provided for by the GDPR, thus securing the balance between the desire to ensure the security of individuals and respect for their fundamental rights and freedoms.

What does the law say about temperature readings at entrances?

In an effort to prevent contamination or spread of the virus, or to remove employees from the working environment who may have a fever, some employers may wish to systematically monitor employees’ temperatures at the entrance to their premises. Recently on our blog we reported on the CNIL calling for caution in the use of smart and thermal cameras in this process. The CNIL has noted that the effectiveness and appropriateness of the temperature measurement is disputable, as this symptom is neither systematic of, nor exclusive to COVID-19. In any case an individual’s body temperature constitutes sensitive data relating to his health and is therefore considered subject to special protection under the GDPR. In particular, Article 9 of the GDPR prohibits employers from keeping data on employees’ temperatures if taken at the entrance of a site.


CNIL provides further guidance, that only competent health personnel can collect, implement and access any medical forms or questionnaires from employees or agents containing any data related to the state of the health or information relating particularly to their family situation, living conditions, or even their possible movements. The same would apply for medical, serological, or COVID-19 screening tests, as the results of these are subject to medical confidentiality. 

The CNIL has provided further tips on business continuity in the context of the pandemic.


Companies may also be required to establish a business continuity plan, aiming to maintain the essential activity of the organisation during a crisis like the COVID-19 health crisis. This plan must be inclusive of all the measures to protect the safety of employees, and to identify the essential activities to be maintained and also the people necessary for the continuity of the service.


There are a few additional key points noted by the CNIL. The CNIL notes that the employer is responsible for the health and safety of his employees and must take collective protective measures, like social distancing protocol, and provision of personal protective equipment, hand sanitiser and so on. The authority also reiterates that the employer does not have to organise the collection of health data from all employees. The only situation that would warrant an employer taking individual measures, is in the event that a report is made by an employee himself that he may have been exposed, or may have exposed some of his colleagues or the public to the virus. In addition, the authority advises that employers who would like to go beyond their obligations and ensure the state of health of their employees by setting up individualized working conditions must necessarily rely on the occupational health service, which has sole competence on the subject.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 during the COVID-19 pandemic? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

CPS Advisory fined

CPS Advisory fined for unauthorized cold calls

CPS Advisory faces ICO fine for making more than 100,000 unauthorized pension-related direct marketing calls. 


As technological advances, globalization—and now worldwide health & safety threats (such as COVID-19)—continue to catapult our world further into the remote sphere, more and more businesses are turning to cold calling and other such distanced customer engagement methods to keep their businesses alive. Yet if companies are not diligent, what may seem a prudent, practical, inevitable business development solution—especially in these unprecedented 2020 times—could plunge them into some serious hot water. This is the case for Swansea, UK based company CPS Advisory (CPSAL). 


According to the ICO,  an investigation into CPS Advisory’s operations revealed that during the period January 11 2019 to April 30 2019, the company made 106,987 unsolicited direct marketing calls related to occupational pension and/or personal pension schemes contrary to regulation 21B of PECR. 


The ICO article summarizes that “under the new law, companies can only make live calls to people about their occupational or personal pensions if:

  • the caller is authorised by the Financial Conduct Authority (FCA), or is the trustee or manager of an occupational or personal pension scheme;
  • the recipient of the call consents to calls, or has an existing relationship with the caller and the relationship is such that the recipient might reasonably envisage receiving unsolicited calls for the purpose of direct marketing in relation to occupational pension schemes or personal pension schemes; and
  • the recipient of the call has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of the recipient’s contact details for the purpose of such direct marketing, at the time that the details were initially collected and, where the recipient did not initially refuse the use of the details, at the time of each subsequent communication.


As a result of this breach, the ICO Monetary Penalty Notice notes that the Information Commissioner decided to issue CPSAL with a monetary penalty under section 55A of the Data Protection Act 1998 (DPA).


PECR & GDPR – how do they fit


According to the ICO, “the GDPR does not replace PECR, although it changes the underlying definition of consent. Existing PECR rules continue to apply, but use the new GDPR Standard of consent. 


“This means that if you send electronic marketing or use cookies or similar technologies, from 25 May 2018 you must comply with both PECR and the GDPR.”


Does PECR apply to you & your company? 


The ICO offers that although some of the rules apply only to organisations that provide a public electronic communications network or service, PECR will apply to you if you:

  • market by phone, email, text or fax;
  • use cookies or a similar technology on your website; or
  • compile a telephone directory (or a similar public directory)

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Hungarian DPA fined Forbes

Hungarian DPA fined Forbes for GDPR violation.

Hungarian DPA fined Forbes for failing to carry out a legitimate interest assessment in relation to two of their publications and to inform data subjects in advance about the results.


The Hungarian DPA came to a decision this July, to fine Forbes for violating various articles of the GDPR with regard to two of the company’s publications. The EDPB recently reported that in relation to both printed and online versions of the Forbes publication in September 2019 and in January 2020, one containing the largest family undertakings, and the other, the 50 richest Hungarians, the Publisher violated the GDPR. In addition, the Authority accused Forbes of failing to provide adequate information to the Complainants about all the essential circumstances of data processing, and of their rights to object to the processing of their personal data. 


The company infringed on several sections of the GDPR in releasing those publications.


In both of the DPA’s decisions, No. NAIH/2020/1154/9 of 23 July 2020, and No. NAIH/2020/838/2 of 23 July 2020, Forbes was found to have been in infringement of Article 6(1)(f) of the GDPR. This article states that “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”


In failing to inform the Complainants of their option to exercise their rights, Forbes infringed on Articles 5(1)(a), 5(2), 12(1) and 12(4), as well as Articles 14, 15 and 21(4) of the GDPR. The relevant sections of Article 5 of the GDPR calls for personal data to be processed lawfully, fairly and in a transparent manner, and that the controller is in fact responsible for, and must be able to demonstrate compliance with the aforementioned requirements. Article 12 outlines the fact that the controller must take appropriate measures to provide any relevant information to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. It also mentions that if the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay of the reasons why, within no more than one month of receipt of the data subject’s request. Articles 14 and 15 speak to the right of the data subject, to obtain from the controller, confirmation as to whether or not their personal data is being processed and to obtain access to information on the personal data being processed, and also clear information on where this data has been obtained, together with other relevant elements around the processing. In this instance, Forbes also denied the data subjects the right to object to the publishing of this personal data, by neglecting to inform them and gain their consent, which violates Article 21.

The Hungarian DPA fined Forbes and gave the company several orders for corrective action.


The Hungarian DPA imposed a fine of 5,600 € for one of the infringements and 7,000 € for the other. The company was also ordered to undertake several corrective actions. Forbes was ordered to meet its obligation to provide information to the Complainants in relation to the data processing, including information concerning the interests of the Publisher, as well as of Complainants considered in the course of interest assessment and the result of the interest assessment, the information on the right to object and the information concerning possibilities of the enforcement of rights. The company will also need to modify its practices related to providing information in advance in accordance with the legal regulations in force and the provisions of these decisions, and to carry out the interest assessment including the second 

individual interest assessment following the objection in accordance with the legal regulations 

and these decisions, if in the course of data processing envisaged in the future, the Publisher intends to use legitimate interest as the legal basis.


The Authority is not opposed to “rich lists” but maintains that they must be done in accordance with the GDPR and preferably with minimal information released on data subjects. 


When the Hungarian DPA arrived at its position on the matter, it also did not decide that lists of businessmen and companies should never be made in this form of Fashion. Forbes may compile lists, on the basis of business data that is accessible to the public, however the publication of those lists is subject to the requirements of the GDPR, and the publisher as controller has to comply with these stringent requirements. The general practice in the Hungarian market, of which the authority approves is that the various rich lists or publications listing the richest Hungarians, did not in all cases include the name of the data subject, but rather initials and minimal information instead of presenting the activities of the data subject. The publishing of this personal data should follow the well grounded objection by the data subject.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Complaints against Google and Facebook

Complaints against Google and Facebook lead to investigations by the European Center for Digital Rights.

Complaints against Google and Facebook lead to investigations by the European Center for Digital Rights, for data transfers which violate the GDPR. 


Complaints were filed against Google and Facebook in several EU countries for an alleged violation of the GDPR. As a result, the European Center for Digital Rights (noyb) has launched a series of investigations into allegations against Data Giants Facebook and Google as they appear to be infringing on the digital rights outlined by the EU charter of Fundamental rights. It is postulated by the noyb, that despite previous court rulings from the CJEU, the information moguls have not ceased in their use of, and processing of EU data, under US servers and by extension adhering to US surveillance protocols. 


Investigations were launched after complaints against Google and Facebook were filed in all 30 EU and EEA member states.

Complaints were filed against Google and Facebook, as well as 101 European companies that still forward data about each visitor to Google and Facebook. In previous rulings, Google and Facebook were asked to stop using the Google Analytics and Facebook Connect features altogether where it pertained to EU citizens and data. However it seems despite these rulings smaller states in the EU were unaware that these terms and conditions that they were adhering to via the EULA from these companies were unconstitutional and were in direct violation of the EU charter. These companies have not been giving express and explicit instructions that the data collected is being processed in the US and no consent is ever sought out by the End User. 

The onus is on respective DPAs to take action in addressing this issue, according to the GDPR.

The issue lies in the fact that the GDPR requires each member state’s individual Data Protection Authority to enforce and to police these complaints in their respective territories. This can range from prohibition notices to serious penalties, including hefty fines. Due to a lack of information the noyb has made legal guidelines regarding this type of interaction free to all member states and also encourages individual members to act more diligently when it comes to the enforcement of these protocols. The investigations and monitoring of these companies will continue and complaints will continue to be filed as long as they keep using their current data processing protocols which clearly break the terms dictated by European Courts and more action is surely to be taken in the future, especially concerning mobilising certain DPAs such as the Data Protection center in Ireland which is currently inactive at the current time .


Certain laws within the US create a challenge to the GDPR, and to companies which transfer data across borders.


Certain programmes enabling access by US public authorities to personal data transferred from the EU result in limitations on the protection of personal data which do not satisfy GDPR requirements. Laws such as the FISA 702 or EO 12.333 are pieces of legislation which hold these companies liable to provide personal data of persons in the EU to the US government. This is deemed as especially problematic due to the fact that these companies are obligated to share information with the NSA which is a direct conflict of interest regarding the privacy and data rights of EU citizens. 


Ireland’s Data Protection Commission has ordered Facebook to stop sending user data to the US.


The Wall Street Journal recently reported that the EU privacy regulator has sent Facebook a preliminary order to suspend all data transfers on its EU customers to the US. This preliminary order was sent late last month, as the DPC’s first significant step to enforce July’s ruling by the European Court of Justice. This ruling restricts how Facebook and other tech giants can send personal information of EU individuals to the US. Facebook would need to re-engineer it’s service to isolate data collected from EU users, or stop serving them at least temporarily, in order to comply with Ireland’s preliminary order. The company could face up to $2.8 billion (4% of annual revenue) in fines, if it fails to comply with this order. Ireland’s DPC has given the company until mid-September to respond to the order, and informed Facebook of its intention to send a new draft of the order to the 26 privacy regulators in other EU countries for joint approval under a cooperation provision of the bloc’s privacy law.


Do you make international data transfers to third countries? Are you affected by Schrems II decision? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We also offer CCPA compliance services. Contact us today.