CINXE.COM
Slovenia
<?xml version="1.0" encoding="utf-8"?> <rss xmlns:dc="http://purl.org/dc/elements/1.1/" version="2.0" xml:base="https://www.edpb.europa.eu/edpb_en"> <channel> <title>Slovenia</title> <link>https://www.edpb.europa.eu/edpb_en</link> <description/> <language>en</language> <item> <title>The French SA fines COSMOSPACE EUR 250,000 and TELEMAQUE EUR 150,000</title> <link>https://www.edpb.europa.eu/news/news/2024/french-sa-fines-cosmospace-eur-250000-and-telemaque-eur-150000_en</link> <description><span class="field field--name-title field--type-string field--label-hidden">The French SA fines COSMOSPACE EUR 250,000 and TELEMAQUE EUR 150,000</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>icolonnm</span></span> <span class="field field--name-created field--type-created field--label-hidden"><span datetime="2024-11-20T17:15:38+01:00" title="Wednesday, November 20, 2024 - 17:15" class="news-date">Wed, 20/11/2024 - 17:15</span> </span> <div class="field field--name-field-edpb-news-image-m field--type-entity-reference field--label-hidden field__item"><div> <div class="field field--name-oe-media-image field--type-image field--label-hidden field__item"> <img loading="lazy" src="https://www.edpb.europa.eu/sites/default/files/styles/large/public/2022-09/one_stop_shop.jpg?itok=vzSEhOod" width="480" height="480" alt class="image-style-large"> </div> </div> </div> <span class="news-date mr-3 d-inline-block">20 November 2024</span> <ul class="member-states-list field__items d-inline-block pl-0 mb-1"> <li class="field__item d-inline" id="member-state-0"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/austria_en" hreflang="en">Austria</a></li> <li class="field__item d-inline" id="member-state-1"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/belgium_en" hreflang="en">Belgium</a></li> <li class="field__item d-inline" id="member-state-2"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/denmark_en" hreflang="en">Denmark</a></li> <li class="field__item d-inline" id="member-state-3"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/cyprus_en" hreflang="en">Cyprus</a></li> <li class="field__item d-inline" id="member-state-4"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/croatia_en" hreflang="en">Croatia</a></li> <li class="field__item d-inline" id="member-state-5"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/czech-republic_en" hreflang="en">Czech Republic</a></li> <li class="field__item d-inline" id="member-state-6"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/france_en" hreflang="en">France</a></li> <li class="field__item d-inline" id="member-state-7"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/germany_en" hreflang="en">Germany</a></li> <li class="field__item d-inline" id="member-state-8"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/greece_en" hreflang="en">Greece</a></li> <li class="field__item d-inline" id="member-state-9"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/hungary_en" hreflang="en">Hungary</a></li> <li class="field__item d-inline" id="member-state-10"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/italy_en" hreflang="en">Italy</a></li> <li class="field__item d-inline" id="member-state-11"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/latvia_en" hreflang="en">Latvia</a></li> <li class="field__item d-inline" id="member-state-12"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/luxembourg_en" hreflang="en">Luxembourg</a></li> <li class="field__item d-inline" id="member-state-13"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/malta_en" hreflang="en">Malta</a></li> <li class="field__item d-inline" id="member-state-14"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/netherlands_en" hreflang="en">Netherlands</a></li> <li class="field__item d-inline" id="member-state-15"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/portugal_en" hreflang="en">Portugal</a></li> <li class="field__item d-inline" id="member-state-16"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/poland_en" hreflang="en">Poland</a></li> <li class="field__item d-inline" id="member-state-17"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/slovenia_en" hreflang="en">Slovenia</a></li> <li class="field__item d-inline" id="member-state-18"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/sweden_en" hreflang="en">Sweden</a></li> <li class="field__item d-inline" id="member-state-19"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/spain_en" hreflang="en">Spain</a></li> </ul> <div class="clearfix text-formatted field field--name-field-edpb-body field--type-text-with-summary field--label-hidden field__item"><h3>Background information</h3> <ul> <li>Date of final decision: 26 September 2024</li> <li>Cross-border case</li> <li>LSA: France</li> <li>CSAs:&nbsp; <ul> <li>For TELEMAQUE: Germany, Austria, Belgium, Cyprus, Spain, Greece, Hungary, Italy, Latvia, Luxembourg, Netherlands, Portugal, Czech Republic, Sweden.</li> <li>For COSMOSPACE: Germany, Austria, Belgium, Croatia, Denmark, Spain, Greece, Italy, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovenia, Sweden.</li> </ul> </li> <li>Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 9 (Processing of special categories of personal data)</li> <li>Decision: Administrative fine</li> <li>Key words:&nbsp;Sensitive data, Data retention, Commercial prospecting, Telephone call recording</li> </ul> <h3>&nbsp;</h3> <h3>Summary of the Decision</h3> <p>&nbsp;</p> <h4>Origin of the case</h4> <p>&nbsp;COSMOSPACE and TELEMAQUE provide remote clairvoyance services, one by telephone and the other by online chat and text messages.</p> <p>Inspections carried out by the CNIL in 2021 revealed several breaches, including the collection of sensitive data without prior explicit consent (in particular health data and data relating to sexual orientation), the retention of data for an excessive period, the sending of commercial prospection communications to people who had not given their consent and, in the case of COSMOSPACE, systematic recording of telephone calls.</p> <p>&nbsp;</p> <h4>Key Findings&nbsp;</h4> <ul> <li>Failure to comply with the obligation to minimise personal data collection and processing by COSMOSPACE (Article 5.1.c of the GDPR)</li> <li>Failure to comply with the obligation to retain data for a period limited to the intended purpose (Article 5.1.e of the GDPR)</li> <li>Failure to comply with the obligation to obtain prior consent from individuals to process special categories of personal data (Article 9 of the GDPR)</li> <li>Failure to comply with the obligation to obtain consent to receive commercial prospecting by electronic means (Article L.34-5 of the French Postal and Electronic Communications Code (CPCE))</li> </ul> <p>&nbsp;</p> <h4>Decision&nbsp;</h4> <p>The CNIL imposed a fine of EUR 250,000 on COSMOSPACE and a fine of EUR 150,000 on TELEMAQUE. These fines were adopted in cooperation with about fifteen European counterparts of the CNIL in both cases.</p> <p>The amounts of these fines were decided on the basis of the seriousness of the breaches, the number of people concerned - the database shared by the two companies containing the data of more than 1.5 million people - and the sensitivity of the data processed. The financial situations of the companies and their structures were also taken into account, in order to set dissuasive but proportionate fines.</p> <p><span lang="EN-GB"><strong>Further information:&nbsp;</strong></span></p> <ul> <li><a href="https://www.cnil.fr/fr/voyance-en-ligne-sanctions-de-250-000-et-150-000-euros-cosmospace-telemaque" target="_blank"><span lang="EN-GB"><strong>Voyance en ligne : sanctions de 250 000 et 150 000 euros à l’encontre des sociétés COSMOSPACE et TELEMAQUE</strong></span></a><span lang="EN-GB"><strong> </strong>(FR)</span></li> <li><a href="https://www.cnil.fr/en/online-clairvoyance-cosmospace-and-telemaque-fined-eu250000-and-eu150000" target="_blank"><span lang="EN-GB"><strong>Online clairvoyance: COSMOSPACE and TELEMAQUE fined €250,000 and €150,000 </strong></span></a><span lang="EN-GB">(EN)</span></li> </ul> </div> </description> <pubDate>Wed, 20 Nov 2024 16:15:38 +0000</pubDate> <dc:creator>icolonnm</dc:creator> <guid isPermaLink="false">8108 at https://www.edpb.europa.eu</guid> </item> <item> <title>Monitoring employees and broadcasting CCTV footage: Slovenian SA fines DODO PIZZA</title> <link>https://www.edpb.europa.eu/news/national-news/2024/monitoring-employees-and-broadcasting-cctv-footage-slovenian-sa-fines-dodo_en</link> <description><span class="field field--name-title field--type-string field--label-hidden">Monitoring employees and broadcasting CCTV footage: Slovenian SA fines DODO PIZZA</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>ikuijlsa</span></span> <span class="field field--name-created field--type-created field--label-hidden"><span datetime="2024-11-04T14:59:56+01:00" title="Monday, November 4, 2024 - 14:59" class="news-date">Mon, 04/11/2024 - 14:59</span> </span> <div class="field field--name-field-edpb-news-image-m field--type-entity-reference field--label-hidden field__item"><div> <div class="field field--name-oe-media-image field--type-image field--label-hidden field__item"> <img loading="lazy" src="https://www.edpb.europa.eu/sites/default/files/styles/large/public/2021-09/nationalpressrealease_slovenia.jpg?itok=YWkX-7Qw" width="480" height="480" alt class="image-style-large"> </div> </div> </div> <span class="news-date mr-3 d-inline-block">4 November 2024</span> <ul class="member-states-list field__items d-inline-block pl-0 mb-1"> <li class="field__item d-inline" id="member-state-0"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/slovenia_en" hreflang="en">Slovenia</a></li> </ul> <div class="clearfix text-formatted field field--name-field-edpb-body field--type-text-with-summary field--label-hidden field__item"><h3>Background information</h3> <ul> <li>Date of final decision: 5 October 2024</li> <li>National case</li> <li>Legal reference:&nbsp; Article 6 (Lawfulness of processing)</li> <li>Decision: Compliance order, Definitive limitation data processing, Administrative fine</li> <li>Key words: CCTV, Lawfulness of processing, Legitimate interest, Employment</li> </ul> <h3><br>Summary of the Decision</h3> <h4>Origin of the case</h4> <p>The Slovenian Supervisory Authority (SA) carried out an investigation in 2023 against the company FOVELLA d.o.o., acting as the owner of DODO PIZZA franchise in Slovenia.&nbsp;</p> <p>The investigation revealed unlawful monitoring of employees in the restaurant’s kitchen via CCTV and unlawful broadcasting of these CCTV footages live on the company’s website. Such broadcasting appeared to be part of the company’s business model.</p> <h4><br>Key findings</h4> <p>The Slovenian SA found two breaches in the inspection proceeding. First, unlawful CCTV instalments inside working premises – the restaurant’s kitchen, since such monitoring of employees can only be carried out as an exception (ultima ratio) and when it is absolutely necessary for the safety of people or property (violation of Article 78 of the national Data Protection Act). And second, these CCTV footages were broadcasted live on the company’s website <a href="https://dodopizza.si/ljubljana" target="_blank">https://dodopizza.si/ljubljana</a>.</p> <p>The controller failed to demonstrate compliance with Article 6 of the GDPR in accordance with the accountability principle. Slovenian SA decided that there is no legal basis under Article 6 of the GDPR for the broadcast of the CCTV footage of employees working in the kitchen live on the company's website, not even legitimate interest of the controller, since already CCTV inside the working premises was found unlawful under national legislation.</p> <h4><br>Decision</h4> <p>The Slovenian SA imposed a fine of EUR 25.000,00 on FOVELLA d.o.o. for unlawful CCTV inside the restaurant's kitchen, together with the broadcast of these CCTV footages via the company's website and notified of its decision also other DPAs, since DODO PIZZA has its franchises also in other EU countries.&nbsp;</p> <p>For violation of Article 76, paragraph three and four of the national Data Protection Act and Article 13 of the GDPR since the company also failed to inform data subjects of the data processing, a reprimand was issued to the controller. The decision in inspection and misdemeanor proceedings are both final.</p> <p>&nbsp;</p> <p><strong>For further information: </strong>download <a href="https://www.ip-rs.si/fileadmin/user_upload/zip/Ponovna_uporaba/2024/September/Odlocbe-ZP_September-2024.zip" target="_blank">the decision</a> in national language - zip file.</p> </div> <div class="clearfix text-formatted field field--name-field-edpb-disclaimer field--type-text-long field--label-hidden field__item"><p><em>The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.</em></p> </div> </description> <pubDate>Mon, 04 Nov 2024 13:59:56 +0000</pubDate> <dc:creator>ikuijlsa</dc:creator> <guid isPermaLink="false">8089 at https://www.edpb.europa.eu</guid> </item> <item> <title>SI SA Standard Contractual Clauses for the purposes of compliance with art. 28 GDPR </title> <link>https://www.edpb.europa.eu/our-work-tools/consistency-findings/register-decisions/2023/si-sa-standard-contractual-clauses_en</link> <description><span class="field field--name-title field--type-string field--label-hidden">SI SA Standard Contractual Clauses for the purposes of compliance with art. 28 GDPR </span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>icolonnm</span></span> <span class="field field--name-created field--type-created field--label-hidden"><span datetime="2023-04-13T10:24:08+02:00" title="Thursday, April 13, 2023 - 10:24" class="news-date">Thu, 13/04/2023 - 10:24</span> </span> <div class="field field--name-field-edpb-decision-type field--type-list-string field--label-inline"> <div class="field__label">Decision Type</div> <div class="field__item">SA</div> </div> <ul class="member-states-list field__items d-inline-block pl-0 mb-1"> <li class="field__item d-inline" id="member-state-0"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/slovenia_en" hreflang="en">Slovenia</a></li> </ul> <span class="news-date mr-3 d-inline-block">13 April 2023</span> <ul class="topic-list field__items d-inline-block pl-0 mb-1"> <li class="field__item d-inline-block mb-1" id="topic-0"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/topic/standard-contractual-clauses_en" hreflang="en">Standard contractual clauses</a></li> <li class="field__item d-inline-block mb-1" id="topic-1"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/topic/controller_en" hreflang="en">Controller</a></li> <li class="field__item d-inline-block mb-1" id="topic-2"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/topic/processor_en" hreflang="en">Processor</a></li> </ul> <div class="field field--name-field-edpb-files field--type-entity-reference field--label-inline row"> <div class="col-sm-7 pr-0 d-flex align-items-center document-title p-3 p-lg-4"> <div class="field__label file file--application-pdf w-100"> <span class="file-label">SI SA: Standard contract clauses (EN)</span> <span class="file-size font-italic d-block mt-1">265.5KB</span> </div> </div> <div class="col-sm-3 pl-3 pr-5 d-flex align-items-center download-language"> <div class="w-100 py-3"> <span class="file-select-box"><select><option data-label="SI SA: Standard contract clauses (EN)" data-url="/system/files/2023-04/si_sa_standard_contract_clauses_en.pdf" data-mime="application-pdf" data-size="265.5KB" selected="selected">English</option> </select> </span> </div> </div> <div class="col-sm-2 px-0 d-flex align-items-center download-button text-center"> <a class="file-download btn btn-block btn-download" href="https://www.edpb.europa.eu/system/files/2023-04/si_sa_standard_contract_clauses_en.pdf" target="_blank"> <i class="fas fa-download d-block mb-2 fa-2x"></i> Download file 1 </a> </div> </div> <div class="field field--name-field-edpb-files field--type-entity-reference field--label-inline row"> <div class="col-sm-7 pr-0 d-flex align-items-center document-title p-3 p-lg-4"> <div class="field__label file file--application-pdf w-100"> <span class="file-label">SI SA: Standardna pogodbena določila (SI)</span> <span class="file-size font-italic d-block mt-1">314.1KB</span> </div> </div> <div class="col-sm-3 pl-3 pr-5 d-flex align-items-center download-language"> <div class="w-100 py-3"> <span class="file-select-box"><select></select> </span> </div> </div> <div class="col-sm-2 px-0 d-flex align-items-center download-button text-center"> <a class="file-download btn btn-block btn-download" href="https://www.edpb.europa.eu/system/files/2023-04/si_sa_standardna_pogodbena_dolocila_si.pdf" target="_blank"> <i class="fas fa-download d-block mb-2 fa-2x"></i> Download file 2 </a> </div> </div> <div class="field field--name-field-edpb-opinion-binding field--type-entity-reference field--label-above"> <div class="field__label">Opinion / Binding decision References</div> <div class="field__items"> <div class="field__item"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-172020-draft-standard-contractual-clauses_en" hreflang="en">Opinion 17/2020 on the draft Standard Contractual Clauses submitted by the SI SA (Article 28(8) GDPR)</a></div> </div> </div> </description> <pubDate>Thu, 13 Apr 2023 08:24:08 +0000</pubDate> <dc:creator>icolonnm</dc:creator> <guid isPermaLink="false">5209 at https://www.edpb.europa.eu</guid> </item> <item> <title>Finnish SA: administrative fine on company for processing health information without an appropriate consent</title> <link>https://www.edpb.europa.eu/news/national-news/2023/finnish-sa-administrative-fine-company-processing-health-information_en</link> <description><span class="field field--name-title field--type-string field--label-hidden">Finnish SA: administrative fine on company for processing health information without an appropriate consent</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>icolonnm</span></span> <span class="field field--name-created field--type-created field--label-hidden"><span datetime="2023-01-27T14:08:39+01:00" title="Friday, January 27, 2023 - 14:08" class="news-date">Fri, 27/01/2023 - 14:08</span> </span> <div class="field field--name-field-edpb-news-image-m field--type-entity-reference field--label-hidden field__item"><div> <div class="field field--name-oe-media-image field--type-image field--label-hidden field__item"> <img loading="lazy" src="https://www.edpb.europa.eu/sites/default/files/styles/large/public/2022-09/one_stop_shop.jpg?itok=vzSEhOod" width="480" height="480" alt class="image-style-large"> </div> </div> </div> <span class="news-date mr-3 d-inline-block">27 January 2023</span> <ul class="member-states-list field__items d-inline-block pl-0 mb-1"> <li class="field__item d-inline" id="member-state-0"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/finland_en" hreflang="en">Finland</a></li> <li class="field__item d-inline" id="member-state-1"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/italy_en" hreflang="en">Italy</a></li> <li class="field__item d-inline" id="member-state-2"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/belgium_en" hreflang="en">Belgium</a></li> <li class="field__item d-inline" id="member-state-3"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/czech-republic_en" hreflang="en">Czech Republic</a></li> <li class="field__item d-inline" id="member-state-4"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/france_en" hreflang="en">France</a></li> <li class="field__item d-inline" id="member-state-5"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/denmark_en" hreflang="en">Denmark</a></li> <li class="field__item d-inline" id="member-state-6"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/greece_en" hreflang="en">Greece</a></li> <li class="field__item d-inline" id="member-state-7"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/germany_en" hreflang="en">Germany</a></li> <li class="field__item d-inline" id="member-state-8"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/hungary_en" hreflang="en">Hungary</a></li> <li class="field__item d-inline" id="member-state-9"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/netherlands_en" hreflang="en">Netherlands</a></li> <li class="field__item d-inline" id="member-state-10"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/norway_en" hreflang="en">Norway</a></li> <li class="field__item d-inline" id="member-state-11"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/slovakia_en" hreflang="en">Slovakia</a></li> <li class="field__item d-inline" id="member-state-12"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/slovenia_en" hreflang="en">Slovenia</a></li> <li class="field__item d-inline" id="member-state-13"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/sweden_en" hreflang="en">Sweden</a></li> <li class="field__item d-inline" id="member-state-14"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/luxembourg_en" hreflang="en">Luxembourg</a></li> <li class="field__item d-inline" id="member-state-15"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/spain_en" hreflang="en">Spain</a></li> <li class="field__item d-inline" id="member-state-16"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/poland_en" hreflang="en">Poland</a></li> </ul> <div class="clearfix text-formatted field field--name-field-edpb-body field--type-text-with-summary field--label-hidden field__item"><h1>Background information</h1> <ul> <li>Date of final decision: 27 December 2022</li> <li>Cross-border case, the decision was taken by national supervisory authorities following the One-Stop-Shop cooperation procedure (OSS).</li> <li>LSA: Finland</li> <li>CSAs: Italy, Belgium, Czech Republic, France, Denmark,</li> <li>Greece, Germany, Hungary, the Netherlands, Norway, Slovakia, Slovenia, Sweden,</li> <li>Luxembourg, Spain and Poland</li> <li>Legal Reference: Processing of special categories of personal data (Article 9(2)), Conditions for consent (Article 7(2) and Article 7(4))</li> <li>Decision: Administrative fine, reprimand</li> <li>Key words: Health data, consent</li> </ul> <h2>Summary of the Decision</h2> <h3>&nbsp;</h3> <h3>Origin of the case</h3> <p>The Finnish SA investigated the company's practices based on complaints made in 2018–2019. The investigations revealed that the company did not have the consent required by the GDPR for processing data on body mass indices and maximal oxygen uptake.</p> <h3>Key Findings</h3> <p>The company had asked for consent to the processing of health data in general but had not specified which data it was collecting and processing. The consent requested did not meet the requirements of the GDPR as it was not specific and informed.</p> <p>The SA finds that the controller had informed the data subjects of the processing of their personal data but had nevertheless not provided sufficient information on the types of personal data being processed and the purposes of processing each type.</p> <p>The SA especially pointed out that the extensive processing of health data is part of the company's core business.</p> <h3>Decision</h3> <p>The Finnish SA imposed an administrative fine of EUR 122,000 on the company. The company was also issued a reprimand. In addition, the Finnish SA ordered the company to rectify its practices for requesting consent.</p> <p>For further information:</p> <ul> <li><a href="https://finlex.fi/fi/viranomaiset/tsv/2022/20221643">National decision</a> (FI)</li> <li>Press release on the Finnish SA’s website: <a href="https://tietosuoja.fi/en/-/administrative-fine-imposed-on-company-for-processing-health-information-without-the-appropriate-consent">Administrative fine imposed on company for processing health information without the appropriate consent</a> (11 January 2023)</li> </ul> </div> <div class="clearfix text-formatted field field--name-field-edpb-disclaimer field--type-text-long field--label-hidden field__item"><p><i>The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.</i></p> </div> </description> <pubDate>Fri, 27 Jan 2023 13:08:39 +0000</pubDate> <dc:creator>icolonnm</dc:creator> <guid isPermaLink="false">4814 at https://www.edpb.europa.eu</guid> </item> <item> <title>The controller cannot use video surveillance as means to reconstruct accidents </title> <link>https://www.edpb.europa.eu/news/national-news/2022/controller-cannot-use-video-surveillance-means-reconstruct-accidents_en</link> <description><span class="field field--name-title field--type-string field--label-hidden">The controller cannot use video surveillance as means to reconstruct accidents </span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>icolonnm</span></span> <span class="field field--name-created field--type-created field--label-hidden"><span datetime="2022-12-01T10:14:52+01:00" title="Thursday, December 1, 2022 - 10:14" class="news-date">Thu, 01/12/2022 - 10:14</span> </span> <div class="field field--name-field-edpb-news-image-m field--type-entity-reference field--label-hidden field__item"><div> <div class="field field--name-oe-media-image field--type-image field--label-hidden field__item"> <img loading="lazy" src="https://www.edpb.europa.eu/sites/default/files/styles/large/public/2021-09/nationalpressrealease_slovenia.jpg?itok=YWkX-7Qw" width="480" height="480" alt class="image-style-large"> </div> </div> </div> <span class="news-date mr-3 d-inline-block">6 October 2022</span> <ul class="member-states-list field__items d-inline-block pl-0 mb-1"> <li class="field__item d-inline" id="member-state-0"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/slovenia_en" hreflang="en">Slovenia</a></li> </ul> <div class="clearfix text-formatted field field--name-field-edpb-body field--type-text-with-summary field--label-hidden field__item"><h2>Background information</h2> <ul> <li>Date of final decision: 6 October 2022</li> <li>Controller: employer in private sector</li> <li>Legal Reference: National Law (Personal Data Protection Act)</li> <li>Decision: Order to comply</li> <li>Key words: Video surveillance in work areas</li> </ul> <h2>Summary of the Decision</h2> <h3>&nbsp;</h3> <h3>Origin of the case</h3> <p>The data controller, engaged in metal machining, installed video surveillance inter alia in work areas. According to the national law, video surveillance within work areas may only be implemented in exceptional cases when it is necessarily required for the safety of people or property or to protect secret data and business secrets. Video surveillance in work areas can be implemented exceptionally, when it is absolutely necessary for safeguarding the legal assets and this purpose cannot be reached by milder measures.</p> <h3>&nbsp;</h3> <h3>Key Findings</h3> <p>The controller stated that cameras were installed for the purpose of monitoring the proper use of machinery, preventing serious injury or death and major damage to property. Video surveillance is aimed at distracting the workers from carrying out their tasks in contravention to the workplace safety rules. The controller also claimed that video surveillance enables him to determine the causes of accidents which prevent future accidents.</p> <p>The Slovenian Supervisory Authority, SA found that the cameras were recording the entire working area.</p> <h3>&nbsp;</h3> <h3>Decision</h3> <p>Slovenian SA emphasised that other factors, which relate to workplace safety need to be considered. Employer is obligated to ensure workplace safety and monitor the compliance of work tasks with working safety rules.&nbsp; Nevertheless, for achieving this goal he is not permitted to use all means at his disposal, disregarding the rights and freedoms of individuals. The controller did not demonstrate that safety of people and property cannot be ensured with milder measures.</p> <p>Slovenian SA confirmed that it is possible to reconstruct the accidents and injuries when working with machinery by examining video recordings, but highlighted that this is not the only way to determine course of events. For example, the controller can collect statements of employees and use the data, processed by the machinery itself. The risks posed by machine operation and measures to be taken to prevent the danger are well-known to the employer and to workers. Risks are not detected only at the time of reconstruction. Also, the reconstruction happens after the accident has already occurred. For preventing accidents, the employer has to inform and alert the employees of correct use of machinery and implementation of prescribed measures. &nbsp;</p> <p>Slovenian SA ordered the controller to remove the cameras monitoring the work area, since it did not demonstrate the absolute necessity of such a measure.</p> <p>&nbsp;</p> </div> <div class="clearfix text-formatted field field--name-field-edpb-disclaimer field--type-text-long field--label-hidden field__item"><p><i>The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.</i></p> </div> </description> <pubDate>Thu, 01 Dec 2022 09:14:52 +0000</pubDate> <dc:creator>icolonnm</dc:creator> <guid isPermaLink="false">4445 at https://www.edpb.europa.eu</guid> </item> <item> <title>Safety of property can be a legitimate interest for GPS tracking, but the measure must be appropriate and necessary </title> <link>https://www.edpb.europa.eu/news/national-news/2022/safety-property-can-be-legitimate-interest-gps-tracking-measure-must-be_en</link> <description><span class="field field--name-title field--type-string field--label-hidden">Safety of property can be a legitimate interest for GPS tracking, but the measure must be appropriate and necessary </span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>icolonnm</span></span> <span class="field field--name-created field--type-created field--label-hidden"><span datetime="2022-11-09T11:22:09+01:00" title="Wednesday, November 9, 2022 - 11:22" class="news-date">Wed, 09/11/2022 - 11:22</span> </span> <div class="field field--name-field-edpb-news-image-m field--type-entity-reference field--label-hidden field__item"><div> <div class="field field--name-oe-media-image field--type-image field--label-hidden field__item"> <img loading="lazy" src="https://www.edpb.europa.eu/sites/default/files/styles/large/public/2021-09/nationalpressrealease_slovenia.jpg?itok=YWkX-7Qw" width="480" height="480" alt class="image-style-large"> </div> </div> </div> <span class="news-date mr-3 d-inline-block">4 October 2022</span> <ul class="member-states-list field__items d-inline-block pl-0 mb-1"> <li class="field__item d-inline" id="member-state-0"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/slovenia_en" hreflang="en">Slovenia</a></li> </ul> <div class="clearfix text-formatted field field--name-field-edpb-body field--type-text-with-summary field--label-hidden field__item"><h2>Background information</h2> <ul> <li>Date of final decision: 04 October 2022</li> <li>Controller: employer in private sector</li> <li>Legal Reference: National Law (Personal Data Protection Act), Article 5.1(c) and 6.1(f) of the GDPR</li> <li>Decision: Order to comply</li> <li>Key words: GPS tracking</li> </ul> <h2>&nbsp;</h2> <h2>Summary of the Decision</h2> <h3>&nbsp;</h3> <h3>Origin of the case</h3> <p>The data controller introduced GPS tracking of seven company vehicles in 2009, after a theft event at worksite. The vehicles were used for fieldwork transport and installation of equipment at client’s premises. The purpose of GPS tracking was to insure the vehicles, expensive equipment and documents, that are in the vehicle in case of theft.</p> <p>The controller stated that GPS tracking did not represent data processing and that individuals could be identified only in exceptional cases (criminal offences, protection of people and property, traffic accidents, claim event, etc.). GPS application could not access personal data of employers, who used the vehicle, because they were kept in a separate record. The data was processed by application and monitored by external contractor.</p> <h3>&nbsp;</h3> <h3>Key Findings</h3> <p>The Slovenian Supervisory Authority (SA) determined that the controller carried out GPS tracking of eight company vehicles. The vehicles were used by employees as delivery vehicles and passenger delivery vehicles. Tracking was carried out by a special transmitter in the vehicle and monitored by an application that continuously recorded the distance travelled. Individuals were identifiable.<br> A special record was being created containing a large amount of location data of employees. The data was processed continuously, systematically and automatically so that the employer could determine in any moment, where an individual traveling with one of the vehicles was located. The data could be accessed also retrospectively. &nbsp;The employer could easily determine the employee who was using the company vehicle and to whom the location data is attributable.</p> <p>The Slovenian SA was investigating if there was a legal basis for processing the personal data pursuant to Article 6 of the GDPR. &nbsp;</p> <h3>&nbsp;</h3> <h3>Decision</h3> <p>The Slovenian SA was assessing whether data processing was lawful in accordance to Article 6.1 (f) of the GDPR – legitimate interests.</p> <p>Slovenian SA confirmed that providing safety of property can be in a legitimate interest of the data controller, but the controller did not demonstrate that the way the measure was carried out was appropriate and necessary. It was found that GPS tracking was carried out also while the vehicle and the property in it were under constant and direct supervision of an employee.</p> <p>Slovenian SA decided that in the specific case GPS tracking could only be used in a way that the driver could turn on the GPS on the location where the vehicle, the equipment and the documents could be at risk and turn it off after returning to the vehicle, when the protected goods were again under direct supervision of an employee.</p> <p>Regarding safety of individuals in case of traffic accidents Slovenian SA decided that constant GPS tracking was disproportionate. The place of the accident is usually known, the location of the accident could also be reported by the driver himself. The controller should use a less intrusive measure on individual’s information privacy.</p> <p>Slovenian SA decided the controller did not demonstrate legitimate interests according to Article 6.1 (f) and that the GPS tracking was not in accordance with the principle of data minimisation (Article 5.1 (c) of the GDPR). &nbsp;</p> <p>Slovenian SA ordered the controller to stop processing the data of employees that were collected by continuous, systematic and automatic GPS tracking.</p> <p>&nbsp;</p> </div> <div class="clearfix text-formatted field field--name-field-edpb-disclaimer field--type-text-long field--label-hidden field__item"><p><i>The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.</i></p> </div> </description> <pubDate>Wed, 09 Nov 2022 10:22:09 +0000</pubDate> <dc:creator>icolonnm</dc:creator> <guid isPermaLink="false">4409 at https://www.edpb.europa.eu</guid> </item> <item> <title>Video recordings, in relation to which the individual is exercising his right of access, must be appropriately protected against erasure</title> <link>https://www.edpb.europa.eu/news/national-news/2022/video-recordings-relation-which-individual-exercising-his-right-access-must_en</link> <description><span class="field field--name-title field--type-string field--label-hidden">Video recordings, in relation to which the individual is exercising his right of access, must be appropriately protected against erasure</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>icolonnm</span></span> <span class="field field--name-created field--type-created field--label-hidden"><span datetime="2022-12-01T10:21:02+01:00" title="Thursday, December 1, 2022 - 10:21" class="news-date">Thu, 01/12/2022 - 10:21</span> </span> <div class="field field--name-field-edpb-news-image-m field--type-entity-reference field--label-hidden field__item"><div> <div class="field field--name-oe-media-image field--type-image field--label-hidden field__item"> <img loading="lazy" src="https://www.edpb.europa.eu/sites/default/files/styles/large/public/2021-09/nationalpressrealease_slovenia.jpg?itok=YWkX-7Qw" width="480" height="480" alt class="image-style-large"> </div> </div> </div> <span class="news-date mr-3 d-inline-block">13 September 2022</span> <ul class="member-states-list field__items d-inline-block pl-0 mb-1"> <li class="field__item d-inline" id="member-state-0"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/slovenia_en" hreflang="en">Slovenia</a></li> </ul> <div class="clearfix text-formatted field field--name-field-edpb-body field--type-text-with-summary field--label-hidden field__item"><h2>Background information</h2> <ul> <li>Date of final decision: 2 December 2021 (inspection) and 13 September 2022 (offence)</li> <li>Controller: Public penal institution (prison)</li> <li>Legal Reference: National Law (Act on the Protection of Personal Data in the Area of Treatment of Criminal Offences)</li> <li>Decision: Rejection of the appeal</li> <li>Key words: Right of access by the data subject</li> </ul> <h2>&nbsp;</h2> <h2>Summary of the Decision</h2> <h3>&nbsp;</h3> <h3>Origin of the case</h3> <p>The applicant requested a copy of video recordings of his movement in block 1 of a prison for a certain date and period of time. The controller rejected his request on the grounds of Article 25 of the Act on the Protection of Personal Data in the Area of Treatment of Criminal Offences, providing that the law can partially or completely restrict the right of access by a data subject, inter alia, when it could prevent the obstruction or interference with official procedures and for the protection or exercise of human rights and fundamental freedoms of third parties.</p> <p>The controller also argued that his internal video surveillance rules provide that video recordings are marked as classified. According to the national Classified Information Act, only persons who have a permission and have to be informed for the performance of their duties, can access classified data.</p> <h3>&nbsp;</h3> <h3>Key Findings</h3> <p>Slovenian Supervisory Authority, SA determined that the video recordings in question do not exist. According to controller’s internal rules the data must be kept at least 20 days and maximum one year. Video recordings were actually stored for a period of one month, after one month they were automatically deleted. Slovenian SA could not assess the controller’s claims on possible grounds for restriction of the right to access, because for full examination the video recordings should have been submitted to the SA. &nbsp;&nbsp;&nbsp;</p> <h3>&nbsp;</h3> <h3>Decision</h3> <p>Slovenian SA rejected the appeal of the individual, but started an offence proceeding against the controller. Slovenian SA found that the director of the prison is responsible for not implementing technical and organisational measures appropriate to ensure the video recordings, after receiving an access request, would not be deleted. The director as person responsible was aware of the request of the individual and taking into account the fact that the recordings were still existing on the day when the request was submitted, he allowed the recordings to be automatically deleted. Taking all circumstances of the offence into account, Slovenian SA issued the director a warning.</p> </div> <div class="clearfix text-formatted field field--name-field-edpb-disclaimer field--type-text-long field--label-hidden field__item"><p><i>The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.</i></p> </div> </description> <pubDate>Thu, 01 Dec 2022 09:21:02 +0000</pubDate> <dc:creator>icolonnm</dc:creator> <guid isPermaLink="false">4448 at https://www.edpb.europa.eu</guid> </item> <item> <title>Opinion 16/2022 on the draft decision of the competent supervisory authority of Slovenia regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR</title> <link>https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-162022-draft-decision-competent_en</link> <description><span class="field field--name-title field--type-string field--label-hidden">Opinion 16/2022 on the draft decision of the competent supervisory authority of Slovenia regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>iolbrean</span></span> <span class="field field--name-created field--type-created field--label-hidden"><span datetime="2022-07-14T16:55:15+02:00" title="Thursday, July 14, 2022 - 16:55" class="news-date">Thu, 14/07/2022 - 16:55</span> </span> <span class="news-date mr-3 d-inline-block">4 July 2022</span> <div class="field field--name-field-edpb-files field--type-entity-reference field--label-inline row"> <div class="col-sm-7 pr-0 d-flex align-items-center document-title p-3 p-lg-4"> <div class="field__label file file--application-pdf w-100"> <span class="file-label">Opinion 16/2022</span> <span class="file-size font-italic d-block mt-1">1.4MB</span> </div> </div> <div class="col-sm-3 pl-3 pr-5 d-flex align-items-center download-language"> <div class="w-100 py-3"> <span class="file-select-box"><select><option data-label="Opinion 16/2022" data-url="/system/files/2022-07/edpb_2022-16_opinion_on_si_sas_accreditation_requirements_for_monitoring_body_en.pdf" data-mime="application-pdf" data-size="1.4MB" selected="selected">English</option> <option data-label="Mnenje št. 16/2022" data-url="/system/files/2023-01/edpb_2022-16_opinion_on_si_sas_accreditation_requirements_for_monitoring_body_sl.pdf" data-mime="application-pdf" data-size="821.9KB">Slovenian</option> </select> </span> </div> </div> <div class="col-sm-2 px-0 d-flex align-items-center download-button text-center"> <a class="file-download btn btn-block btn-download" href="https://www.edpb.europa.eu/system/files/2022-07/edpb_2022-16_opinion_on_si_sas_accreditation_requirements_for_monitoring_body_en.pdf" target="_blank"> <i class="fas fa-download d-block mb-2 fa-2x"></i> Download </a> </div> </div> <div class="field field--name-field-edpb-member-states field--type-entity-reference field--label-inline mb-1 d-inline-block"> <div class="field__label d-none pr-0">Members:</div> <ul class="member-states-list field__items d-inline-block pl-0 mb-0"> <li class="field__item d-inline" id="member-state-0"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/slovenia_en" hreflang="en">Slovenia</a></li> </ul> </div> <div class="field field--name-field-edpb-topics field--type-entity-reference field--label-inline mb-1"> <div class="field__label d-none pr-0">Topics:</div> <ul class="topic-list field__items d-inline-block pl-0 mb-1"> <li class="field__item d-inline-block mb-1" id="topic-0"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/topic/code-conduct_en" hreflang="en">Code of conduct</a></li> </ul> </div> </description> <pubDate>Thu, 14 Jul 2022 14:55:15 +0000</pubDate> <dc:creator>iolbrean</dc:creator> <guid isPermaLink="false">3943 at https://www.edpb.europa.eu</guid> </item> <item> <title>Slovenian Administrative Court upholds the decision of the Slovenian SA: the right of erasure does not enable an individual to have his personal data erased from Baptismal Register</title> <link>https://www.edpb.europa.eu/news/national-news/2021/slovenian-administrative-court-upholds-decision-slovenian-sa-right-erasure_en</link> <description><span class="field field--name-title field--type-string field--label-hidden">Slovenian Administrative Court upholds the decision of the Slovenian SA: the right of erasure does not enable an individual to have his personal data erased from Baptismal Register</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>iolbrean</span></span> <span class="field field--name-created field--type-created field--label-hidden"><span datetime="2021-10-18T10:48:03+02:00" title="Monday, October 18, 2021 - 10:48" class="news-date">Mon, 18/10/2021 - 10:48</span> </span> <div class="field field--name-field-edpb-news-image-m field--type-entity-reference field--label-hidden field__item"><div> <div class="field field--name-oe-media-image field--type-image field--label-hidden field__item"> <img loading="lazy" src="https://www.edpb.europa.eu/sites/default/files/styles/large/public/2021-09/nationalpressrealease_slovenia.jpg?itok=YWkX-7Qw" width="480" height="480" alt class="image-style-large"> </div> </div> </div> <span class="news-date mr-3 d-inline-block">18 October 2021</span> <ul class="member-states-list field__items d-inline-block pl-0 mb-1"> <li class="field__item d-inline" id="member-state-0"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/slovenia_en" hreflang="en">Slovenia</a></li> </ul> <div class="clearfix text-formatted field field--name-field-edpb-body field--type-text-with-summary field--label-hidden field__item"><div> <div> <h2>Background information</h2> <p>Date of final decision: 2 June 2020<br> Cross-border case or national case: National case<br> Controller: A parish of the Roman Catholic Church<br> Legal Reference: Right of erasure (Article 17)<br> Decision: Dismissal of the complaint<br> Keywords: Archiving purposes in the public interest, Religious freedom</p> <h2>Summary of the Decision</h2> <p>A parish of the Roman Catholic Church was processing the application of an individual on the right of erasure. The individual requested his personal data to be erased from the Baptismal Register, because he was no longer a member of the church. In his opinion, the collected data are no longer necessary in relation to the purposes for which they were collected. He did not give consent for his baptism or processing of his personal data. The individual also claimed that personal data entered in the register reveal religious beliefs and interfere with his religious freedom.&nbsp;&nbsp;</p> <p>The data collected in the register were: first and last name of individual, date of birth, date of baptism, names of parents and godparents and place of residence. The parish claimed that the legal basis for the processing of data in the register is mainly the Protection of Documents and Archives and Archival Institutions Act, which classifies the registry as archival material of outstanding national importance, therefore it is not allowed to delete any of the data contained. The parish has also made an additional entry in the register stating that the person is no longer a member of the church. The SA assessed if the processing is necessary for archiving purposes in the public interest in accordance with Article 89(1) GDPR and if the erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing (Article 17(3)(d) GDPR).</p> <p>The SA emphasised, that the above mentioned act itself stipulates that the church documentary material has the characteristics of archival material. It is also subject to the principles of permanence and integrity and it provides measures which can be considered as appropriate safeguards according to 89(1) GDPR. The SA decided that the Batismal Register is an archive document according to the national act and that the individual cannot claim the right of erasure when the processing is needed for archiving purposes in the public interest. Deletion of the data would seriously hamper the achievement of these objectives. The decision has been challenged in the court of justice. The Administrative Court upheld the decision of the SA and added that the individual is not faced with religious elements by the mere fact that the parish stores his data in the register. Subsequent entry clearly demonstrates that the individual is no longer a member of the church, which is also a representation of his right not to belong to a religion.</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p><i>The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned</i></p> </div> </div> </div> </description> <pubDate>Mon, 18 Oct 2021 08:48:03 +0000</pubDate> <dc:creator>iolbrean</dc:creator> <guid isPermaLink="false">2388 at https://www.edpb.europa.eu</guid> </item> <item> <title>Dutch SA fines Transavia for poor personal data security</title> <link>https://www.edpb.europa.eu/news/national-news/2021/dutch-sa-fines-transavia-poor-personal-data-security_en</link> <description><span class="field field--name-title field--type-string field--label-hidden">Dutch SA fines Transavia for poor personal data security</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>icolonnm</span></span> <span class="field field--name-created field--type-created field--label-hidden"><span datetime="2022-11-17T10:04:07+01:00" title="Thursday, November 17, 2022 - 10:04" class="news-date">Thu, 17/11/2022 - 10:04</span> </span> <div class="field field--name-field-edpb-news-image-m field--type-entity-reference field--label-hidden field__item"><div> <div class="field field--name-oe-media-image field--type-image field--label-hidden field__item"> <img loading="lazy" src="https://www.edpb.europa.eu/sites/default/files/styles/large/public/2022-09/one_stop_shop.jpg?itok=vzSEhOod" width="480" height="480" alt class="image-style-large"> </div> </div> </div> <span class="news-date mr-3 d-inline-block">23 September 2021</span> <ul class="member-states-list field__items d-inline-block pl-0 mb-1"> <li class="field__item d-inline" id="member-state-0"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/netherlands_en" hreflang="en">Netherlands</a></li> <li class="field__item d-inline" id="member-state-1"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/ireland_en" hreflang="en">Ireland</a></li> <li class="field__item d-inline" id="member-state-2"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/france_en" hreflang="en">France</a></li> <li class="field__item d-inline" id="member-state-3"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/belgium_en" hreflang="en">Belgium</a></li> <li class="field__item d-inline" id="member-state-4"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/denmark_en" hreflang="en">Denmark</a></li> <li class="field__item d-inline" id="member-state-5"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/poland_en" hreflang="en">Poland</a></li> <li class="field__item d-inline" id="member-state-6"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/cyprus_en" hreflang="en">Cyprus</a></li> <li class="field__item d-inline" id="member-state-7"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/italy_en" hreflang="en">Italy</a></li> <li class="field__item d-inline" id="member-state-8"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/germany_en" hreflang="en">Germany</a></li> <li class="field__item d-inline" id="member-state-9"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/austria_en" hreflang="en">Austria</a></li> <li class="field__item d-inline" id="member-state-10"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/finland_en" hreflang="en">Finland</a></li> <li class="field__item d-inline" id="member-state-11"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/sweden_en" hreflang="en">Sweden</a></li> <li class="field__item d-inline" id="member-state-12"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/slovakia_en" hreflang="en">Slovakia</a></li> <li class="field__item d-inline" id="member-state-13"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/hungary_en" hreflang="en">Hungary</a></li> <li class="field__item d-inline" id="member-state-14"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/norway_en" hreflang="en">Norway</a></li> <li class="field__item d-inline" id="member-state-15"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/spain_en" hreflang="en">Spain</a></li> <li class="field__item d-inline" id="member-state-16"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/poland_en" hreflang="en">Poland</a></li> <li class="field__item d-inline" id="member-state-17"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/croatia_en" hreflang="en">Croatia</a></li> <li class="field__item d-inline" id="member-state-18"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/iceland_en" hreflang="en">Iceland</a></li> <li class="field__item d-inline" id="member-state-19"><a href="https://www.edpb.europa.eu/our-work-tools/our-documents/member-state/slovenia_en" hreflang="en">Slovenia</a></li> </ul> <div class="clearfix text-formatted field field--name-field-edpb-body field--type-text-with-summary field--label-hidden field__item"><h2>Background information</h2> <ul> <li>Date of final decision: 23 September 2021</li> <li>Cross-border case: cross-border case</li> <li>If cross-border, LSA: Netherlands</li> <li>and CSAs: Ireland, France, Belgium, Denmark, Poland, Cyprus, Italy, Baden-Württemberg, Austria, Finland, Sweden, Slovakia, Hungary, Berlin, Bavaria private sector, Norway, Rineland Palatinate, Spain, Portugal, Croatia, Iceland, Slovenia</li> <li>Controller:&nbsp; Transavia Airlines C.V.&nbsp;&nbsp;</li> <li>Legal Reference: Security of processing. Article 32 (1) and (2)</li> <li>Decision: Infringement of the GDPR, administrative fine</li> <li>Key words: Security of processing, data security breach</li> </ul> <p>&nbsp;</p> <h2>Summary of the Decision</h2> <h3>&nbsp;</h3> <h3>Origin of the case</h3> <p>The Dutch Supervisory Authority (SA) started this investigation after a data breach notification by Transavia.</p> <h3>&nbsp;</h3> <h3>Key Findings</h3> <p>Due to poor security of personal data, a hacker was able to break into Transavia’s systems, in which he could have potentially had access to the data of 25 million passengers. It has been determined that the hacker actually downloaded the personal data of 83,000 people. The hacker broke into Transavia’s systems in September 2019 using two of the company’s IT department accounts. There were three security flaws that made it simple for the hacker to do this:</p> <ul> <li>The password was easy to guess.</li> <li>Only the password was needed to enter the system. There was no multi-factor authentication in place.</li> <li>Once the hacker had control over the two accounts, he also had access to multiple Transavia systems. This is because the access rights connected to these accounts were not restricted to necessary systems only.</li> </ul> <h3>&nbsp;</h3> <h3>Decision</h3> <p>The Dutch SA has fined Transavia €400,000.</p> <p>&nbsp;</p> <p><strong>For further information:&nbsp; </strong><a href="https://autoriteitpersoonsgegevens.nl/en/news/dutch-dpa-fines-transavia-poor-personal-data-security">Dutch DPA fines Transavia for poor personal data security</a></p> <p>&nbsp;</p> </div> <div class="clearfix text-formatted field field--name-field-edpb-disclaimer field--type-text-long field--label-hidden field__item"><p><i>The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.</i></p> </div> </description> <pubDate>Thu, 17 Nov 2022 09:04:07 +0000</pubDate> <dc:creator>icolonnm</dc:creator> <guid isPermaLink="false">4424 at https://www.edpb.europa.eu</guid> </item> </channel> </rss>