Cookie assessment criteria published by the CNIL of France

The CNIL of France has published a cookie assessment criteria guide to aid businesses in determining the validity of cookies and other tracers. 

 

The CNIL has published guidelines on the use of cookies and other tracers, which initially prohibited cookie walls as they were seen as a violation of the principle of free consent. A cookie wall requires users to consent to cookies, in order to gain access to a site or service. The CNIL concluded that the validity or legality of cookie walls was better determined on a case by case basis, rather than prohibiting cookie walls altogether. The authority deemed it necessary to publish a guide containing preliminary criteria, to assess the legality of the use of cookie walls, in the absence of a position from the CJEU. 

 

While not prohibited in France, a careful assessment is required prior to the implementation of cookie walls. 

 

Cookie walls require an internet user to accept cookies or other tracking devices in order to access the content of a website. In most cases, there is an alternative, paid option, in the form of a subscription, to compensate for any loss of advertising revenue from targeted ads made possible by the collection of cookies. The validity and legality of cookies is intended to be assessed on a case by case basis based on what alternatives are offered to users if they choose to decline cookies, and how reasonable these alternatives are. This will require a careful assessment of the alternative options, as suggested by the CNIL. 

 

CNIL outlined several key factors which are considered in determining the validity of cookie consent and cookie walls. 

 

While the validity of a cookie wall is to be determined on a case by case basis, there are a few key determining factors which the CNIL highlighted. For one, it matters whether or not the Internet user who refuses cookies still has a fair alternative to access the content. In some cases, paid access can be granted, replacing the cookie wall with a paywall. In cases where there is a paywall to access content, CNIL will consider whether the price is deemed reasonable. This, in most cases, will be determined by the amount of ad revenue which would be lost as a result of the user refusing cookies. Another important point to consider is whether the cookie wall can cover “all” cookies indiscriminately, or just certain types of cookies. 

 

CNIL recommends that the publisher offers a real and fair alternative allowing users access to the site, in the event that they refuse cookies, which does not does not include having to consent to the use of their data. In cases where the user chooses paid access without consenting to cookies, there may be limited cases where cookies can still be deposited. The CNIL stressed that users should be able to accept and refuse cookies based on their purpose, and should be able to access the site setting and revoke consent at any time. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Google reprimanded by Belgian SA

Google was reprimanded by the Belgian SA due to lack of transparency concerning a request to have articles delisted.

 

This recent decision by the Belgian SA concerns a lawyer who was previously disbarred less than 10 years ago, who had requested that articles and information concerning his disbarment be delisted. The complainant currently works as a legal advisor and had his complaint dismissed by the Belgian SA. According to this report by the EDPB, the Authority reprimanded Google for a lack of transparency in this case. Under the GDPR, the Belgian SA recognized some shortcomings in the manner in which Google handled the complainant’s request. 

 

Google reprimanded by Belgian Supervisory Authority despite the complaint made against the company being dismissed

 

While the Belgian Supervisory Authority dismissed complaints regarding Google’s refusal to delist, the Authority found it necessary to reprimand the company due to SuperSonics in the manner in which the delisting request was handled. Google did not honor the complainants request based on a reasoning that the public still has an interest to access the information concerning the lawyer in the search engine. The Belgian Supervisory Authority, while not in disagreement with this, found that the complainant was effectively ‘passed around’ from Google Ireland to Google LLC via Google Belgium, and that there were issues with the quality of the statement of why the delisting is refused. This statement was said to lack transparency, and to be in violation of Article 12 of the GDPR. 

 

The Belgian Supervisory Authority found issues with the quality of the response to the data subject’s request.

 

With regard to Article 17 of the GDPR, the Belgian Supervisory Authority found Google to be in violation of article 12 of the GDPR. Article 17 relates to the data subject’s right to erasure, and while the authority dismissed the complaints of the data subject in this instance, the company was found to be in violation of Article 12 due to the lack of transparency in responding to the data subject’s request. Article 12 states that “the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language…” In this case, due to unclear identification of the controller, the authority found issues with the quality of the response to the data subject’s request, and reprimanded the company. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Protection of health data: new section on AEPD website

The AEPD has launched a new section on its website containing information and resources specific to the protection of health data.

 

The Spanish Agency for Data Protection (AEPD) recently published a new web space in the Areas of Interest section on its website, to facilitate consultation and disseminate information on the processing of health data. The aim of this initiative is to respond to the needs expressed by representatives of the health sector to have a compilation of legislation and other resources on the topic of health and data protection. Health data is considered special category data and therefore special provisions are to be made for the protection of this type of data in particular. 

 

This new section of the AEPD website contains information intended for various members of the community.

 

The resources provided by the AEPD in this new section of their website are intended for citizens, data controllers, data protection professionals, health institutions, as well as the pharmaceutical industry, among others. It is made up of seven sections which include general information on the treatment of health data and how to exercise the right of access to medical records. In addition, there are answers to questions related to medical research. It also outlines the criteria set by the AEPD based on queries raised by members of the health sector, as well as information on inspections that have been carried out. Some of the additional resources which can be found in this new section are topics related to health research and clinical trials, as well as information on personal data breaches within the health sector. 

 

Health officials and other concerned parties are encouraged to make use of these resources.

 

The new section of AEPD’s website was launched on May 3rd and contains several useful links. It is expected that the information contained therein will be updated regularly, and kept up to date with news, important legislative updates, and any personal data breaches which concern specifically health data. This new web space can be accessed via this link and can be used by anyone, to stay up to date on any developments with regards to health data. Health officials and other concerned parties are encouraged to make use of this new, very valuable resource provided by the AEPD.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Danish bank fined for failure to delete the data it no longer needed

The Danish SA has proposed a fine, and had Danske bank reported to police officials, after the bank reportedly neglected to have data deleted. 

 

The Danish Supervisory Authority has filed a police report against Danske Bank and proposed a fine on the bank, of €1.3 million, according to this report from the EDPB. This is the result of an investigation dating back to November 2020, when the Authority initiated a case of its own motion, after the bank had reported that it had identified a problem with the deletion of personal data, for which there was no continued  justification to process. Legal basis for the processing of personal data is necessary under the GDPR and data must only be kept for as long as absolutely necessary. 

 

The bank was unable to demonstrate compliance and was therefore found to have infringed on Article 5(2) of the GDPR. 

 

In connection with the Danish SA’s investigation, it was found that the bank had not been able to show that rules had been laid out dictating how the bank would handle the storage and deletion of personal data, nor was the bank able to prove that manual deletion of personal data was being carried out. Article 5(2) specifically states that the data controller shall be responsible for, and must be able to demonstrate compliance with, paragraph 1. Article 5(1)(e) specifically states that “Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” According to Kenni Elm Olsen, specialist consultant at the Danish Data Protection Agency, “One of the basic principles of the GDPR is that you can only process information you need – and when you no longer need it, it must be deleted. When it comes to an organization the size of Danske Bank, which has many and complex systems, it is particularly crucial that you can also document that the deletion actually takes place.” 

 

A total fine of €1.3 million has been proposed after the Danish SA considered the several details of this case. 

 

In determining what fine should be proposed, the Danish Supervisory Authority considered that the breach in question is in relation to a basic principle under the GDPR (Article 5), relating to the processing of personal data. The Authority also considered that the actions of the bank affected quite a large number of data subjects. The bank’s systems prices the personal data of several million data subjects. The Danish Data Protection Agency has emphasized the nature and seriousness of the infringement and also the requirement that a fine must be effective, proportionate to the infringement, and have a deterrent effect. In addition, the Authority also considered that Danske Bank actively volunteered information during the case. The Authority believes that the bank has indeed tried to curb the potential damage to data subjects.  As a result, a total fine of €1.3 million has been proposed. 

 

 

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.