CPS Advisory fined

CPS Advisory fined for unauthorized cold calls

CPS Advisory faces ICO fine for making more than 100,000 unauthorized pension-related direct marketing calls. 


As technological advances, globalization—and now worldwide health & safety threats (such as COVID-19)—continue to catapult our world further into the remote sphere, more and more businesses are turning to cold calling and other such distanced customer engagement methods to keep their businesses alive. Yet if companies are not diligent, what may seem a prudent, practical, inevitable business development solution—especially in these unprecedented 2020 times—could plunge them into some serious hot water. This is the case for Swansea, UK based company CPS Advisory (CPSAL). 


According to the ICO,  an investigation into CPS Advisory’s operations revealed that during the period January 11 2019 to April 30 2019, the company made 106,987 unsolicited direct marketing calls related to occupational pension and/or personal pension schemes contrary to regulation 21B of PECR. 


The ICO article summarizes that “under the new law, companies can only make live calls to people about their occupational or personal pensions if:

  • the caller is authorised by the Financial Conduct Authority (FCA), or is the trustee or manager of an occupational or personal pension scheme;
  • the recipient of the call consents to calls, or has an existing relationship with the caller and the relationship is such that the recipient might reasonably envisage receiving unsolicited calls for the purpose of direct marketing in relation to occupational pension schemes or personal pension schemes; and
  • the recipient of the call has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of the recipient’s contact details for the purpose of such direct marketing, at the time that the details were initially collected and, where the recipient did not initially refuse the use of the details, at the time of each subsequent communication.


As a result of this breach, the ICO Monetary Penalty Notice notes that the Information Commissioner decided to issue CPSAL with a monetary penalty under section 55A of the Data Protection Act 1998 (DPA).


PECR & GDPR – how do they fit


According to the ICO, “the GDPR does not replace PECR, although it changes the underlying definition of consent. Existing PECR rules continue to apply, but use the new GDPR Standard of consent. 


“This means that if you send electronic marketing or use cookies or similar technologies, from 25 May 2018 you must comply with both PECR and the GDPR.”


Does PECR apply to you & your company? 


The ICO offers that although some of the rules apply only to organisations that provide a public electronic communications network or service, PECR will apply to you if you:

  • market by phone, email, text or fax;
  • use cookies or a similar technology on your website; or
  • compile a telephone directory (or a similar public directory)

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Hungarian DPA fined Forbes

Hungarian DPA fined Forbes for GDPR violation.

Hungarian DPA fined Forbes for failing to carry out a legitimate interest assessment in relation to two of their publications and to inform data subjects in advance about the results.


The Hungarian DPA came to a decision this July, to fine Forbes for violating various articles of the GDPR with regard to two of the company’s publications. The EDPB recently reported that in relation to both printed and online versions of the Forbes publication in September 2019 and in January 2020, one containing the largest family undertakings, and the other, the 50 richest Hungarians, the Publisher violated the GDPR. In addition, the Authority accused Forbes of failing to provide adequate information to the Complainants about all the essential circumstances of data processing, and of their rights to object to the processing of their personal data. 


The company infringed on several sections of the GDPR in releasing those publications.


In both of the DPA’s decisions, No. NAIH/2020/1154/9 of 23 July 2020, and No. NAIH/2020/838/2 of 23 July 2020, Forbes was found to have been in infringement of Article 6(1)(f) of the GDPR. This article states that “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”


In failing to inform the Complainants of their option to exercise their rights, Forbes infringed on Articles 5(1)(a), 5(2), 12(1) and 12(4), as well as Articles 14, 15 and 21(4) of the GDPR. The relevant sections of Article 5 of the GDPR calls for personal data to be processed lawfully, fairly and in a transparent manner, and that the controller is in fact responsible for, and must be able to demonstrate compliance with the aforementioned requirements. Article 12 outlines the fact that the controller must take appropriate measures to provide any relevant information to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. It also mentions that if the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay of the reasons why, within no more than one month of receipt of the data subject’s request. Articles 14 and 15 speak to the right of the data subject, to obtain from the controller, confirmation as to whether or not their personal data is being processed and to obtain access to information on the personal data being processed, and also clear information on where this data has been obtained, together with other relevant elements around the processing. In this instance, Forbes also denied the data subjects the right to object to the publishing of this personal data, by neglecting to inform them and gain their consent, which violates Article 21.

The Hungarian DPA fined Forbes and gave the company several orders for corrective action.


The Hungarian DPA imposed a fine of 5,600 € for one of the infringements and 7,000 € for the other. The company was also ordered to undertake several corrective actions. Forbes was ordered to meet its obligation to provide information to the Complainants in relation to the data processing, including information concerning the interests of the Publisher, as well as of Complainants considered in the course of interest assessment and the result of the interest assessment, the information on the right to object and the information concerning possibilities of the enforcement of rights. The company will also need to modify its practices related to providing information in advance in accordance with the legal regulations in force and the provisions of these decisions, and to carry out the interest assessment including the second 

individual interest assessment following the objection in accordance with the legal regulations 

and these decisions, if in the course of data processing envisaged in the future, the Publisher intends to use legitimate interest as the legal basis.


The Authority is not opposed to “rich lists” but maintains that they must be done in accordance with the GDPR and preferably with minimal information released on data subjects. 


When the Hungarian DPA arrived at its position on the matter, it also did not decide that lists of businessmen and companies should never be made in this form of Fashion. Forbes may compile lists, on the basis of business data that is accessible to the public, however the publication of those lists is subject to the requirements of the GDPR, and the publisher as controller has to comply with these stringent requirements. The general practice in the Hungarian market, of which the authority approves is that the various rich lists or publications listing the richest Hungarians, did not in all cases include the name of the data subject, but rather initials and minimal information instead of presenting the activities of the data subject. The publishing of this personal data should follow the well grounded objection by the data subject.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Complaints against Google and Facebook

Complaints against Google and Facebook lead to investigations by the European Center for Digital Rights.

Complaints against Google and Facebook lead to investigations by the European Center for Digital Rights, for data transfers which violate the GDPR. 


Complaints were filed against Google and Facebook in several EU countries for an alleged violation of the GDPR. As a result, the European Center for Digital Rights (noyb) has launched a series of investigations into allegations against Data Giants Facebook and Google as they appear to be infringing on the digital rights outlined by the EU charter of Fundamental rights. It is postulated by the noyb, that despite previous court rulings from the CJEU, the information moguls have not ceased in their use of, and processing of EU data, under US servers and by extension adhering to US surveillance protocols. 


Investigations were launched after complaints against Google and Facebook were filed in all 30 EU and EEA member states.

Complaints were filed against Google and Facebook, as well as 101 European companies that still forward data about each visitor to Google and Facebook. In previous rulings, Google and Facebook were asked to stop using the Google Analytics and Facebook Connect features altogether where it pertained to EU citizens and data. However it seems despite these rulings smaller states in the EU were unaware that these terms and conditions that they were adhering to via the EULA from these companies were unconstitutional and were in direct violation of the EU charter. These companies have not been giving express and explicit instructions that the data collected is being processed in the US and no consent is ever sought out by the End User. 

The onus is on respective DPAs to take action in addressing this issue, according to the GDPR.

The issue lies in the fact that the GDPR requires each member state’s individual Data Protection Authority to enforce and to police these complaints in their respective territories. This can range from prohibition notices to serious penalties, including hefty fines. Due to a lack of information the noyb has made legal guidelines regarding this type of interaction free to all member states and also encourages individual members to act more diligently when it comes to the enforcement of these protocols. The investigations and monitoring of these companies will continue and complaints will continue to be filed as long as they keep using their current data processing protocols which clearly break the terms dictated by European Courts and more action is surely to be taken in the future, especially concerning mobilising certain DPAs such as the Data Protection center in Ireland which is currently inactive at the current time .


Certain laws within the US create a challenge to the GDPR, and to companies which transfer data across borders.


Certain programmes enabling access by US public authorities to personal data transferred from the EU result in limitations on the protection of personal data which do not satisfy GDPR requirements. Laws such as the FISA 702 or EO 12.333 are pieces of legislation which hold these companies liable to provide personal data of persons in the EU to the US government. This is deemed as especially problematic due to the fact that these companies are obligated to share information with the NSA which is a direct conflict of interest regarding the privacy and data rights of EU citizens. 


Ireland’s Data Protection Commission has ordered Facebook to stop sending user data to the US.


The Wall Street Journal recently reported that the EU privacy regulator has sent Facebook a preliminary order to suspend all data transfers on its EU customers to the US. This preliminary order was sent late last month, as the DPC’s first significant step to enforce July’s ruling by the European Court of Justice. This ruling restricts how Facebook and other tech giants can send personal information of EU individuals to the US. Facebook would need to re-engineer it’s service to isolate data collected from EU users, or stop serving them at least temporarily, in order to comply with Ireland’s preliminary order. The company could face up to $2.8 billion (4% of annual revenue) in fines, if it fails to comply with this order. Ireland’s DPC has given the company until mid-September to respond to the order, and informed Facebook of its intention to send a new draft of the order to the 26 privacy regulators in other EU countries for joint approval under a cooperation provision of the bloc’s privacy law.


Do you make international data transfers to third countries? Are you affected by Schrems II decision? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We also offer CCPA compliance services. Contact us today.

EDPS guidance on temperature checks

EDPS guidance on temperature checks during the COVID-19 pandemic

Temperature checks during COVID-19, the global health crisis, have become a necessary part of the continuity of general affairs. The EDPS has released guidance to help institutions in navigating this sphere keeping the privacy of the individual at the forefront.


Due to the COVID-19 situation many of the European Union members have implemented several safeguards and protocols to protect and prevent outbreaks during the COVID-19 pandemic. So many of the EU organisations actually have found it necessary to implement into workplaces and other important bureaucratic centres many key safety measures, one of which are mandatory temperature checks . However in the world of data protection and privacy and the rights of Citizens under the EU charter it is very possible that these safety mechanisms could infringe on the rights of many individuals who have the right to private life without interruption. 


The EDPS has indicated mandatory guidelines to ensure safety and privacy of EU individuals.


There are a few guidelines that the EDPS has made mandatory for these European institutions which promise to ensure that both safety and privacy protection are paramount in the pandemic ecosystem. One of the key measures implemented is that no recording or processing of personal data is allowed when temperature information is being measured. In other words either manual testing must be done using a hand thermometer and there is a personnel operating this manual thermometer and they must not record these results or add them to any filing system. However, if there is an automated system such as a thermal camera, it is paramount that these cameras are not setup or integrated into a cloud or filing system that will add the temperature information of the individuals, be it visitors or otherwise, to these sites’ database under any specific criteria as outlined by the EDPS guidelines . 


On site personnel must be trained to not only monitor the machine, but verify the validity of the initial reading, and recalibrate temperature measuring devices when necessary.


In addition, there must be a trained personnel who can not only monitor the machine in live time as it is not allowed to record information, but there must also be the ability to explain to individuals the reason for the thermal testing. The repeatability of the testing must be reliable due to  persons having the right for multiple tests or readings of their temperature to be taken to verify the validity of the initial reading. The personnel present must also be able to explain and discern how the machine works and also training on how to calibrate the sensor must also be implemented on to the personnel trusted with this task . Again it is a complete violation to take this temperature information added to any form of filing system or personnel file as this could lead to a direct violation of the EU charter of rights for its citizens and EDPS guidelines.


Institutions must meet  additional requirements to meet the minimum standard requirement for institutions navigating the pandemic.


However , one of the key factors in the charter are also workplaces and public spaces must have the minimum standard requirement to meet work health protocols and during the COVID-19 outbreak, masks, disinfecting gels/sanitizers and temperature checks all fall under the jurisdiction of minimum health protocols. Therefore this is mainly about achieving a key balancing act with the protocols of safety and privacy at these EUI sites. The key concern for the EDPS is maintaining the balance of legality and safety for its citizens so there are many clauses and subsections that can be related to the COVID situation as far as lawfulness goes. 


Individuals entering these sites must be kept informed and given full disclosure.


In addition to this, it is also very important that the persons who are entering the sites are aware of the reason for the screenings and that they are given full disclosure. This information should be readily available at any point in time. In the event that  a person has taken multiple readings and has surpassed the temperature threshold for entering one of these sites, they should also be given assistance in the form of directions to find a doctor or a nurse or a COVID testing centre nearby. They should be provided with some form of written receipt of denial of entry to validate any bureaucratic or official need to verify the reason for the inability to enter the site. 


Employees should all be given alternatives for continuing to work amid the health crisis.


In the case of employees, it is paramount that alternative working methods be considered such as remote work due to the disruption of one’s personal and private life due to this test that may be automated or carried out by machine or on-site personnel. These protocols allow persons to have minimal disruption in their life, while taking full advantage of health screenings and temperature checks without any privacy issues. 


It is imperative that devices used for temperature checks be maintained and recalibrated on a regular basis.


It is also important to note that due to the fact that the threshold for the COVID-19 temperature is within a 1 degree C margin of error, recalibration and maintenance on these automated or more complex temperature reading devices must be carried out regularly, and by qualified personnel. Again, these technologies must not be connected to any cloud storage or filing system and all of the readings must be done in live time with the aid of a person who is not simply viewing the data, but is qualified to understand, and to scrutinise any error that the machine may make, as it is  unconstitutional by the charter freedoms of the European Union to let an automated machine make those level of decisions without human input. Therefore, it is paramount that someone is there to verify and clarify the results gathered by these machines.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 during the COVID-19 pandemic? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.