Amazon facing lawsuit in Germany

Amazon facing lawsuit in Germany, accused of breaking EU’s privacy laws.

Amazon facing lawsuit in Germany after being accused of breaking EU’s privacy laws against the EU-US Privacy Shield.


The global giant Amazon is currently facing a lawsuit and has been accused of breaking the privacy laws in Europe, according to this recent article from Politico. The company has been accused of using the infamous Privacy Shield despite its previous invalidation in Europe which has led to this lawsuit. The basis is that the Court of Justice of the European Union made clear that transferring data through the Privacy Shield was no longer allowed following July’s Schrems II judgment. This ruling invalidated the EU-US privacy shield. The reason for the invalidation was that the CJEU decided that shipping data outside of the EU put it at risk. According to the CJEU, US surveillance customs are more intrusive than they should be and go beyond what is acceptable for privacy. While Amazon understands that the Privacy Shield is invalid, it appears that they have continued to use this invalidated transfer mechanism.

Standard Contractual Clauses are still a viable option for companies needing to transfer data.

Standard Contractual Clauses (SCCs) are another option for the technological giants and are used by the likes of Google and Facebook. The difference is that exporting data from the EU using the SCC requires more supervision, and better ensures the safety of the data. While the SCC gives these companies an alternative, the clauses come with caveats, and are not entirely free of problems. Right now, the giant Facebook stands against the Irish data regulators regarding their use of the clauses.

EuGD takes legal action against Amazon.

EuGD (Europäische Gesellschaft für Datenschutz) decided to take action putting forth the formal legal complaint that escalated the conflict. The recent article by Vincent Manancourt, features a statement from Johann Hermann, the current head of EuGD, the group behind the legal complaint. “The [Court of Justice of the European Union] has made it clear that data transfers to the U.S. on the basis of the Privacy Shield are no longer permitted. If the world’s leading cloud company and largest e-commerce provider remains inactive for more than two months and ignores consumer rights, that is unacceptable,” said Mr Hermann, head of Europäische Gesellschaft für Datenschutz (EuGD). Moreover, the founder of EuGD, Thomas Bindl, said that taking the legal route was a decision made taking into consideration similar conflicts.

Despite the noise and controversy surrounding the conflict and impending lawsuit, it is still necessary to wait and see the developments in court. However, regardless of the result in the ruling, this will likely inspire greater vigilance and compliance on the part of companies who may also be transferring data out of Europe.


Do you make international data transfers to third countries? Are you affected by Schrems II decision? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We also offer CCPA compliance services. Contact us today.


H&M fined by HmbBfDI

H&M fined by HmbBfDI, over 35M Euro for data protection breaches.

H&M fined by the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI), over 35M Euro for data protection breaches.

H&M has been fined by the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI). H&M (Hennes & Mauritz), the popular clothing company, registered in Hamburg with a service center in Nuremberg and stores all over Europe and North America, has become the center of a security breach controversy. This has cost the brand a fine of over 35 million euros, as reported by the EDPB.

H&M interviewed their workforce about their personal lives, recording and storing excessive amounts of personal data.

The H&M Company has been operating this way for more than 6 years to this date in their service center in Nuremberg. They interviewed their employees extensively about their personal lives, recording everything, and storing all this information in their inside networks. Particularly following absences such as vacations and sick leave – even short absences, they would conduct long chats called “Welcome Back Talks”. In those meetings, they would investigate every detail concerning the activities of the employees during the absence. The supervisors recorded extensive data  including vacation experiences, but also symptoms of illness and diagnoses.

In addition to what was collected or recorded during those welcome back talks, the information the supervisors got out of their employees included information from casual hall conversations ranging from information on personal family issues to personal, political and religious beliefs. Some of this information would be used for evaluation of the development of the employee within the workplace, as well as to evaluate their efficiency.

This practice, which put the employees’ privacy at great risk came to light when  the data became accessible company-wide for several hours in October 2019 due to a configuration error. 

In October 2019, the details of these documents with personal information on individual employees became accessible for several hours. This was due to an internal error on the configuration of the company’s network. This event directly violates the employee’s civil rights by putting their personal and private information at risk. The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI), upon becoming aware of the data breach through press reports, took this matter into their hands, and demanded that the contents of the network drive be frozen and subsequently handed over, and interviewed witnesses to confirm the company’s practices. H&M’s records consisted of around 60 gigabytes of data which they submitted for evaluation.

Following the hefty fine, H&M has taken full responsibility for the incident, apologized and is taking corrective measures.

The company was  issued a fine of 35,258,707.95 Euros for the violation of Prof. Dr. Johannes Caspar, Hamburg’s Commissioner for Data Protection and Freedom of Information, comments: “This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees.”This should also serve as an example for other companies in how to operate and safeguard their employees’ private information if they wish to avoid similar situations.

The company presented HmbBfDI with a comprehensive concept of how data protection is to be implemented at the Nuremberg site from now on. Management has also expressly apologized to those affected, and offered employees considerable compensation for the breach. The newly introduced data protection concept includes a newly appointed data protection coordinator, monthly data protection status updates, increasingly communicated whistleblower protection and a consistent concept for dealing with data subjects’ rights of access.

“Data processing should be always subject to the existence of at least one lawful basis of those laid down in Article 6 GDPR. Records on religious beliefs and diagnoses merit even higher protection because they are special categories of data with restricted processing. This fine should serve as an example for other companies and it shows that no personal data processing is exempt from complying with the data protection regulation, including those operations that are limited to the internal networks” comments Cristina Contero Almagro, Partner in Aphaia.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling employee data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Amazon launches new technology

Amazon launches new technology which scans palms for identification and payment.

Amazon launches new technology in two of its physical stores, which allow for contact free identification and payment, by scanning an individual’s palm.


Amazon is on the verge of launching a new biometric payment system which scans an image of customers’ palms, according to this new BBC article. This new methodology is an attempt at a contactless replacement of traditional membership and physical loyalty cards. The accuracy and unique identifiers lie within the vein patterns in the hands of individuals, which still remain fairly inconspicuous to the naked eye. These scanners would require the customer to wave their palm a few inches away from a scanner making it a viable contactless form of ID/payment simultaneously. The system is currently being tested at two Amazon stores. Physical bills and data will be stored locally at the stores, but will not be sent to Amazon data centers, and clients will be allowed to delete the data from their website.


Amazon developers think this technology is safer and more secure than other methods of biometric identification. 


The application seems to be as accurate and effective as fingerprints, but not as easily identifiable by human vision, and therefore presumably more difficult to replicate. Amazon developers claim it is more secure than other forms of biometrics, which is especially relevant after issues with racial bias have been shown in the company’s facial recognition software that has currently been suspended by officials. Recently, we published an article on The National Biometric Information Privacy Act, which was introduced into US congress. Bills like these are an attempt to curtail any negative effects or security breaches that may arise in using biometric scanners and similar technology.


While this technology is convenient, some point to possible data security risks.


In the midst of the pandemic, the introduction of a new payment method requiring less human interaction, and no physical contact seems like a much needed innovation, however some groups are advocating against biometric forms of ID and payments due to the possible privacy issues associated with biometric data being stored by governments or large corporations. Director of the privacy rights groups Big Brother Watch, Silkie Carlo says that this new technology is invasive, unnecessary and provides just another outlet for Amazon to cultivate personal data freely despite privacy laws and agreements. 


The convenience of biometrics is not overshadowed by the possible invasion of privacy it risks, as a direct consequence. The implementation of these scanners in many different buildings is being discussed if this initial trial in Seattle locations goes well. This technology is a part of Amazon’s vision of a non human staffed supermarket, where everything is tracked by AI and machines in the store and payment can be completed using this new palm scanner for a full contactless experience.


What does the GDPR say about this type of data processing?


The scans being picked up by these machines fall under biometric data, the processing of which is prohibited, under the GDPR, unless certain conditions are met. When processing biometric data, unless at least one of those conditions are met, the processing is deemed unlawful. Article 9 of the GDPR dictates that one of the following criteria must be met in order for the processing of biometric data;


  1. Explicit consent to process that personal data has been given by the data subject for one or more specified purposes, except in instances where union on member state laws prevent the prohibition from being lifted by the data subject.
  2. Processing the biometric data is necessary for the purposes of fulfilling obligations or exercising specific rights of the controller or the data subject in the field of employment, social security or social protection law.
  3. The processing is necessary to protect the vital interests of the data subject or another natural person if the data subject is physically or legally incapable of giving consent.
  4. The processing of biometric data is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body, on condition that the processing relates only to members or former members of the body,  or with a person’s in regular contact with the body, in connection with its aim or purposes related to political philosophical religious or trade unionism.
  5. The processing is relating to personal data which is manifestly made public by the data subject.
  6. The processing is necessary for the establishment, exercise or defence of legal claims.
  7. The processing is necessary for reasons of substantial public interest, including in the area of public health.
  8. The processing is necessary for the purposes of private or occupational medicine.
  9. The processing is necessary for archiving purposes in the public interest, whether scientific, historical or statistical purposes.


For more clarity on what is classified as biometric data as well as other aspects of this technology, check out our post; 14 common misconceptions on biometric identification and authentication debunked.

Does your company process biometric identification data? Aphaia provides a number of services in relation to compliance with regard to data protection, including regarding biometric data: data protection impact assessments, Data Protection Officer outsourcing, and EU AI ethics assessments. Get in touch today to find out more.

CNIL provides further guidance on collection of personal data by employers in the context of COVID-19 pandemic.

CNIL provides further guidance in the context of the global pandemic, on the collection of personal data by employers.

In the context of the health crisis brought on by the spread of the coronavirus, many authorities and organisations have been providing as much help and guidance to relevant agents, in navigating the current situation and continuing business during the pandemic. We are collectively at the point of the pandemic where it has been established that life must go on and organisations and businesses are trying to establish some sort of normalcy to facilitate business continuity. The CNIL recently released a document, providing guidance which may aid employers in navigating data protection in the current atmosphere in the workplace with regard to the coronavirus-related health crisis.

Employers are obligated to ensure the safety of their employees.

it is the employer’s responsibility to implement measures to prevent occupational risks and information and training actions, as well as to ensure that work organization and resources are adapted to working conditions. Employers are encouraged to remind their employees, working in contact with other people, of their obligation to report individually in the event of contamination or suspected contamination, to them or to the competent health authorities, for the sole purpose of enabling them to adapt working conditions.

CNIL provides guidance to employees as well, on navigating working through the pandemic.

Employees are responsible for preserving their own health and safety and also that of the people with whom they may come into contact during their professional activity. Under normal circumstances, employees who are home sick, typically need only to communicate the terms (usually length) of their sick leave. However, in a context of a pandemic such as that of COVID-19, an employee who works in contact with other people (colleagues and the public), each time he has been able to expose some of his colleagues or for example clients, to the virus, must inform his employer in the event of contamination or suspicion of contamination with the virus. If this employee works in isolation or teleworks, they need not provide this information.

How does the GDPR say that health data should be processed?

Employers can only process health data necessary for the satisfaction of their legal and contractual obligations, that is to say necessary to take organizational measures (teleworking, referral to the occupational doctor, etc.), training and information, as well as certain actions to prevent occupational risks. For this reason, only elements of data linked to the date, to the identity of the person, to the fact that they have indicated to be or suspected of being contaminated, as well as the organizational measures taken, should be processed by the employer. The employer may communicate to health officials, the elements necessary for a possible health or medical care of the exposed person. However, under no circumstance is the employer to identify or communicate any personal info about the likely infected person to other employees.

In developing and implementing company protocol, employers cannot take measures likely to disproportionately infringe on the privacy of employees, or other data subjects, in particular through the collection of health data, that would go beyond managing suspected exposure to the virus to protect employees and the public. In order to be processed, the use of the data must necessarily fall within one of the exceptions provided for by the GDPR, thus securing the balance between the desire to ensure the security of individuals and respect for their fundamental rights and freedoms.

What does the law say about temperature readings at entrances?

In an effort to prevent contamination or spread of the virus, or to remove employees from the working environment who may have a fever, some employers may wish to systematically monitor employees’ temperatures at the entrance to their premises. Recently on our blog we reported on the CNIL calling for caution in the use of smart and thermal cameras in this process. The CNIL has noted that the effectiveness and appropriateness of the temperature measurement is disputable, as this symptom is neither systematic of, nor exclusive to COVID-19. In any case an individual’s body temperature constitutes sensitive data relating to his health and is therefore considered subject to special protection under the GDPR. In particular, Article 9 of the GDPR prohibits employers from keeping data on employees’ temperatures if taken at the entrance of a site.

CNIL provides further guidance, that only competent health personnel can collect, implement and access any medical forms or questionnaires from employees or agents containing any data related to the state of the health or information relating particularly to their family situation, living conditions, or even their possible movements. The same would apply for medical, serological, or COVID-19 screening tests, as the results of these are subject to medical confidentiality. 

The CNIL has provided further tips on business continuity in the context of the pandemic.

Companies may also be required to establish a business continuity plan, aiming to maintain the essential activity of the organisation during a crisis like the COVID-19 health crisis. This plan must be inclusive of all the measures to protect the safety of employees, and to identify the essential activities to be maintained and also the people necessary for the continuity of the service.

There are a few additional key points noted by the CNIL. The CNIL notes that the employer is responsible for the health and safety of his employees and must take collective protective measures, like social distancing protocol, and provision of personal protective equipment, hand sanitiser and so on. The authority also reiterates that the employer does not have to organise the collection of health data from all employees. The only situation that would warrant an employer taking individual measures, is in the event that a report is made by an employee himself that he may have been exposed, or may have exposed some of his colleagues or the public to the virus. In addition, the authority advises that employers who would like to go beyond their obligations and ensure the state of health of their employees by setting up individualized working conditions must necessarily rely on the occupational health service, which has sole competence on the subject.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 during the COVID-19 pandemic? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.