National data protection authority

Norwegian DPA issues fine to Coop Finnmark

Retrieved on: 
Thursday, February 11, 2021
Information privacy, Finnmark, National data protection authority, Security breach notification laws, Articles, Information, Security

The Norwegian Data Protection Authority has issued a fine in the amount of EUR 40 000 (NOK 400,000) to Coop Finnmark SA.

Key Points: 
  • The Norwegian Data Protection Authority has issued a fine in the amount of EUR 40 000 (NOK 400,000) to Coop Finnmark SA.
  • After reviewing the case, the Data Protection Authority finds that Coop Finnmark lacked a legal basis for the shop managers distribution of the surveillance footage.
  • This case was reported as a personal data breach notification from Coop Finnmark AS on April 10th 2019, and the Data Protection Authority issued a notice of fine in March 2020.
  • Coop Finnmark has submitted comments to the notice, which the Data Protection Authority now has considered.

Dutch DPA imposes order subject to penalty on health insurer CZ

Retrieved on: 
Tuesday, January 26, 2021
Data security, Information privacy, Data protection, Information governance, General Data Protection Regulation, In Europe, Types of insurance, Privacy law, DPA, National data protection authority, Health insurance, Insurance

Following an investigation, the Dutch Data Protection Authority (DPA) found that the way health insurer CZ handled applications for prior approval of treatment was in breach of the General Data Protection Regulation (GDPR).

Key Points: 
  • Following an investigation, the Dutch Data Protection Authority (DPA) found that the way health insurer CZ handled applications for prior approval of treatment was in breach of the General Data Protection Regulation (GDPR).
  • For this breach of privacy legislation, the DPA has imposed an order subject to penalty on CZ.
  • To cover specialised medical rehabilitation, health insurer CZ requires insured persons to apply for prior approval (authorisation requirement).
  • For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

    The press release published here does not constitute official EDPB communication, nor an EDPB endorsement.

The Complex Landscape of Enforcing the LGPD in Brazil: Public Prosecutors, Courts and the National System of Consumer Defense

Retrieved on: 
Monday, December 21, 2020
Articles, Social issues, Data security, Digital rights, Information privacy, Human rights, Consumer protection, National data protection authority, Medical privacy, Privacy

The speakers included: Danilo Doneda, Professor at IDP and advisor to the National Council for the Protection of Personal Data and Privacy (CNPD) Laura Schertel, Professor at IDP and UNB, and Director of the IDP Law, Internet and Society CenterRafael Zanatta, Director of Data Privacy Brasil Research AssociationAs a federation, Brazil hosts many separate authorities and courts with their own competencies and powers on the national, state/regional, and municipal levels.

Key Points: 
  • The speakers included: 
    • Danilo Doneda, Professor at IDP and advisor to the National Council for the Protection of Personal Data and Privacy (CNPD) 
    • Laura Schertel, Professor at IDP and UNB, and Director of the IDP Law, Internet and Society Center
    • Rafael Zanatta, Director of Data Privacy Brasil Research Association
    • As a federation, Brazil hosts many separate authorities and courts with their own competencies and powers on the national, state/regional, and municipal levels.
    • Brazils recently created National Data Protection Authority (NDPA) will operate in a very complex system, alongside well established enforcers of the law, like consumer protection authorities and public prosecutors, on top of broad private rights of action granted by the LGPD directly to individuals.
    • Because of this complex environment, uncertainty may appear as to how the LGPD will be implemented and enforced in practice.
    • What are the solutions to solve potential sources of conflict in the Brazilian legal system?

    1. Background 

      • From a broader perspective, however, the structure of the legal system of Brazil makes clarity even more difficult.
      • This is because many legal institutions in Brazil have competences to enforce consumer protection laws, including issues that involve data protection and privacy.
      • In addition, while the LGPD operates as a federal law, state and municipal authorities introduced data and consumer protection measures within their jurisdictions well before the LGPDs enactment.
      • Such diffusion has created a mosaic of legal competences and introduced a range of complexities that all data protection practitioners should be aware of when engaging with Brazil and its new data protection law.

    2. Public Ministries  

      • Legally structured by the 1988 Constitution, the Public Ministry (Ministrio Pblico) hosts independent public prosecutors at both the federal and state level.
      • There are currently 31 different Public Ministries throughout Brazil.
      • Every prosecutor in the Public Ministries can start a civil action or procedure if he or she believes there is a basis in law.
      • On the other, the role of Public Ministries is pivotal as it could serve as a check to any NDPA action that runs contrary to public consumer interest.

    3. Recent Case Law 

      • In addition to the Public Ministries, recent case law in Brazil also shines light on some unique regulatory challenges facing the implementation of the LGPD.
      • This case law illustrates how data protection was a fundamental issue in the judicial system before the enactment of the recent law, particularly in the area of consumer protection.
      • As such, grasping the implications of this case law is critical for understanding how regulators will implement the LGPD.
      • In this case (ADI 6387), a legal provision mandated personal data sharing for statistical purposes as an emergency measure in response to the pandemic.
      • Another recent case discussed the implications of consent for the credit scoring industry in Brazil.
      • Finally, two additional cases also shed light on how recent case law has influenced data protection in Brazil.
      • One case held that contracts that preclude the ability of consumers to have a say about the scope of data disclosure were illegal (Case Jos Galvo Silva vs Procob SA, Special Appeal 1.758.799, State of Minas Gerais, decided by the Superior Court of Justice in November 2019).

    3. National System of Consumer Defense 

      • The National System of Consumer Defense (SNDC) also raises complexities for the implementation of the LGPD in Brazil.
      • Established with the Brazilian Code of Consumer Protection in 1990 and regulated by Presidential Decree n 2.181/1997, the SNDC brings together federal, state, and municipal agencies, as well as civil society organizations, to prevent, investigate and prosecute violations of consumer protection law.
      • As a broad institutional framework for consumer protection, the SNDC has over 30 years of experience and covers 798 units spread across 591 Brazilian cities.
      • The Procons (Procuradoria de Proteo e Defesa do Consumidor) function within the National System to help consumers administratively file complaints, give instructions and information about consumer rights, and verify judgments.
      • The Procons have issued a few decisions related to data protection over the years that have generated attention.
      • Another in 2020 saw the Procon-SP reach an agreement with the energy distributor Enel over consumer complaints of increased and incorrect billings.

    4. Conflicts of Competencies 

      • Indeed, conflicts between all three of the institutions mentioned above may surface with the implementation of the LGPD.
      • Such conflict could create further uncertainty as to the application of data protection standards within the unique and complex institutional structure of Brazils legal system.
      • While there are many potential resolutions of these conflicts, it is hard to predict exactly how the process will play out.
      • However, it does state that the various public bodies engaged in data protection will coordinate with one another to fulfill their duties effectively.
      • Hopefully as the NDPA gains more experience, some of these larger potential sources of conflict can be addressed.

    5. Conclusion

    • 300,000 SEK fine against housing company

    Retrieved on: 
    Thursday, December 17, 2020
    Articles, Security, Safety, Crime prevention, Law enforcement, Video surveillance, Closed-circuit television, National data protection authority, Surveillance

    The Swedish Data Protection Authority has issued an administrative fine of SEK 300,000 against a housing company for unlawful video surveillance in an apartment building.

    Key Points: 
    • The Swedish Data Protection Authority has issued an administrative fine of SEK 300,000 against a housing company for unlawful video surveillance in an apartment building.
    • The Swedish Data Protection Authority (DPA) received a complaint concerning video surveillance in an apartment building belonging to the housing company Uppsalahem.
    • The DPA's audit shows that the housing company had set up a surveillance camera monitoring the floor where the complainant lives.
    • For that reason, the DPA imposes a fine of SEK 300,000 on the housing company.

    The Complex Landscape of Enforcing the LGPD in Brazil: Public Prosecutors, Courts and the National System of Consumer Defense

    Retrieved on: 
    Wednesday, December 16, 2020
    Information privacy, Data security, Data protection, Privacy, Consumer protection, Consumer protection law, National data protection authority, Articles, Data protection (privacy) laws in Russia, Privacy law

     Danilo Doneda,Professor at IDP and advisor to the National Council for the Protection of Personal Data and Privacy (CNPD) As a federation, Brazil hosts many separate authorities and courts with their own competencies and powers on the national, state/regional, and municipal levels.

    Key Points: 
  •  
    • Danilo Doneda,Professor at IDP and advisor to the National Council for the Protection of Personal Data and Privacy (CNPD) 
    • As a federation, Brazil hosts many separate authorities and courts with their own competencies and powers on the national, state/regional, and municipal levels.
    • Brazils recently created National Data Protection Authority (NDPA) will operate in a very complex system, alongside well established enforcers of the law, like consumer protection authorities and public prosecutors, on top of broad private rights of action granted by the LGPD directly to individuals.
    • Because of this complex environment, uncertainty may appear as to how the LGPD will be implemented and enforced in practice.
    • What are the solutions to solve potential sources of conflict in the Brazilian legal system?


      This blog (1) summarizes the contributions of our three guest speakers, focusing on (2) public prosecutors under the Public Ministry, (3) recent case-law from the two highest Federal Brazilian Courts, (4) the national system of consumer defence, and (5) outlines potential conflicts of competence, before reaching (6) conclusions.   

    1. Background 

      • From a broader perspective, however, the structure of the legal system of Brazil makes clarity even more difficult.
      • This is because many legal institutions in Brazil have competences to enforce consumer protection laws, including issues that involve data protection and privacy.
      • In addition, while the LGPD operates as a federal law, state and municipal authorities introduced data and consumer protection measures within their jurisdictions well before the LGPDs enactment.
      • Such diffusion has created a mosaic of legal competences and introduced a range of complexities that all data protection practitioners should be aware of when engaging with Brazil and its new data protection law.

    2. Public Ministries  

      • Legally structured by the 1988 Constitution, the Public Ministry (Ministrio Pblico) hosts independent public prosecutors at both the federal and state level.
      • There are currently 31 different Public Ministries throughout Brazil.
      • Every prosecutor in the Public Ministries can start a civil action or procedure if he or she believes there is a basis in law.
      • On the other, the role of Public Ministries is pivotal as it could serve as a check to any NDPA action that runs contrary to public consumer interest.

    3. Recent Case Law 

      • In addition to the Public Ministries, recent case law in Brazil also shines light on some unique regulatory challenges facing the implementation of the LGPD.
      • This case law illustrates how data protection was a fundamental issue in the judicial system before the enactment of the recent law, particularly in the area of consumer protection.
      • As such, grasping the implications of this case law is critical for understanding how regulators will implement the LGPD.
      • In this case (ADI 6387), a legal provision mandated personal data sharing for statistical purposes as an emergency measure in response to the pandemic.
      • Another recent case discussed the implications of consent for the credit scoring industry in Brazil.
      • Finally, two additional cases also shed light on how recent case law has influenced data protection in Brazil.
      • One case held that contracts that preclude the ability of consumers to have a say about the scope of data disclosure were illegal (Case Jos Galvo Silva vs Procob SA, Special Appeal 1.758.799, State of Minas Gerais, decided by the Superior Court of Justice in November 2019).

    3. National System of Consumer Defense 

      • The National System of Consumer Defense (SNDC) also raises complexities for the implementation of the LGPD in Brazil.
      • Established with the Brazilian Code of Consumer Protection in 1990 and regulated by Presidential Decree n 2.181/1997, the SNDC brings together federal, state, and municipal agencies, as well as civil society organizations, to prevent, investigate and prosecute violations of consumer protection law.
      • As a broad institutional framework for consumer protection, the SNDC has over 30 years of experience and covers 798 units spread across 591 Brazilian cities.
      • The Procons (Procuradoria de Proteo e Defesa do Consumidor) function within the National System to help consumers administratively file complaints, give instructions and information about consumer rights, and verify judgments.
      • The Procons have issued a few decisions related to data protection over the years that have generated attention.
      • Another in 2020 saw the Procon-SP reach an agreement with the energy distributor Enel over consumer complaints of increased and incorrect billings.

    4. Conflicts of Competencies 

      • Indeed, conflicts between all three of the institutions mentioned above may surface with the implementation of the LGPD.
      • Such conflict could create further uncertainty as to the application of data protection standards within the unique and complex institutional structure of Brazils legal system.
      • While there are many potential resolutions of these conflicts, it is hard to predict exactly how the process will play out.
      • However, it does state that the various public bodies engaged in data protection will coordinate with one another to fulfill their duties effectively.
      • Hopefully as the NDPA gains more experience, some of these larger potential sources of conflict can be addressed.

    5. Conclusion

      • Brazil has come a long way in the construction of a solid data protection normative framework, in which the LGPD is a central part.
      • The LGPD standardized the discipline of personal data protection in Brazil, creating general obligations for all sectors and systematizing the rights of data subjects.
      • However, it is essential to note that the law operates within an existing framework, and therefore, it must be harmonized with other norms and institutions.
      • There is a challenge for regulators in how they interpret and advance the right to data protection while remaining cohesive across institutional competences to supervise and enforce the law.
      • This scenario makes the harmonization of the interpretation of the General Personal Data Protection Law challenging.

    • University failed to sufficiently protect sensitive personal data

    Retrieved on: 
    Wednesday, December 16, 2020
    Data security, Data protection, Information governance, Privacy, Privacy law, General Data Protection Regulation, In Europe, Data protection (privacy) laws in Russia, National data protection authority, Data breach, Information privacy, Swedish Data Protection Authority

    Ume University has processed special categories of personal data concerning sexual life and health through, amongst other, storage in a cloud service, without sufficiently protecting the data.

    Key Points: 
    • Ume University has processed special categories of personal data concerning sexual life and health through, amongst other, storage in a cloud service, without sufficiently protecting the data.
    • The Swedish Data Protection Authority has now completed an audit of Ume University, concluding that the University has violated the General Data Protection Regulation by processing special categories of personal data without applying appropriate technical and organisational measures to protect the data.
    • The Swedish Data Protection Authority also criticises the University for failing to report the incident as a personal data breach.
    • Since 25 May 2018, organisations are obliged to report personal data breaches to the Swedish Data Protection Authority.

    The right to information when taking fingerprints

    Retrieved on: 
    Saturday, December 5, 2020
    Information privacy, European Data Protection Supervisor, National data protection authority, Fingerprint, Privacy, Information, Data management, European Union law

    FRA discussed with the Eurodac Supervision Coordination Group future cooperation activities and how best to dissemination its guide for authorities on their duty to inform when taking fingerprints.

    Key Points: 
    • FRA discussed with the Eurodac Supervision Coordination Group future cooperation activities and how best to dissemination its guide for authorities on their duty to inform when taking fingerprints.
    • The group consists of one representative of each Member State's data protection authority and the European Data Protection Supervisor (EDPS).
    • National data protection authorities supported the translation of the leaflet.
    • The meeting took place on 26 November.

    Swedish SA fines Board of Education in the City of Stockholm

    Retrieved on: 
    Monday, November 30, 2020
    Security breaches, Geography of Sweden, Data security, Information, Information privacy, Government agencies of Sweden, Data protection, Stockholm, Stockholm urban area, Data breach, National data protection authority, Data protection (privacy) laws in Russia

    The review shows an insufficient level of security of such grave nature that the authority issues an administrative fine of four million SEK against the Board of Education in the City of Stockholm.

    Key Points: 
    • The review shows an insufficient level of security of such grave nature that the authority issues an administrative fine of four million SEK against the Board of Education in the City of Stockholm.
    • The Swedish Data Protection Authority has received a number of personal data breach notifications from the City of Stockholm's Board of Education.
    • The incidents all relate to the School Platform, which is the IT system used for, among other things, student administration in Stockholm.
    • In its decision, the Swedish Data Protection Authority finds that the Education Board has not ensured that the personal data in question is processed securely.

    GDPR fine for unlawful video surveillance in an LSS housing

    Retrieved on: 
    Monday, November 30, 2020
    Articles, Security, National security, Crime prevention, Information privacy, Law enforcement, Surveillance, General Data Protection Regulation, Closed-circuit television, National data protection authority, Internet privacy

    The Swedish Data Protection Authority issues an administrative fine of SEK 200,000 against Gnosj Municipality for unlawful video surveillance in an LSS housing.

    Key Points: 
    • The Swedish Data Protection Authority issues an administrative fine of SEK 200,000 against Gnosj Municipality for unlawful video surveillance in an LSS housing.
    • The Authority initiated an audit of the LSS housing and can conclude that the resident in question indeed was monitored in their bedroom in violation of the General Data Protection Regulation, GDPR, and the Swedish Video Surveillance Act.
    • However, it should be possible for the LSS housing to achieve the same purposes as those for which the video surveillance was carried out with less privacy-intrusive means.
    • The Swedish Data Protection Authority concludes in its decision that there is no legal basis for the video surveillance, that an impact assessment has not been carried out before initiating the video surveillance and that the controller has failed to clearly inform about the video surveillance.

    Privacy Commissioner Advocates Protection of Personal Data amidst COVID-19 at International Privacy Conference

    Retrieved on: 
    Friday, October 16, 2020
    Articles, Data security, Policy, Data protection, Privacy, Identity management, Office of the Privacy Commissioner for Personal Data, Information privacy, Medical privacy, Office of the Australian Information Commissioner, National data protection authority

    The Privacy Commissioner for Personal Data, Hong Kong, Ms Ada CHUNG Lai-ling attended the virtual conference of the 42nd Global Privacy Assembly (GPA) on 13-15 October 2020.

    Key Points: 
    • The Privacy Commissioner for Personal Data, Hong Kong, Ms Ada CHUNG Lai-ling attended the virtual conference of the 42nd Global Privacy Assembly (GPA) on 13-15 October 2020.
    • Ms Ada Chung presented to GPA members the Compendium of Best Practices in Response to COVID-19, the compilation of which was led by the Office of the Privacy Commissioner for Personal Data (PCPD).
    • To address personal data privacy risks associated with the boom of artificial intelligence (AI), a Resolution on Accountability in the Development and Use of AI was also adopted by all GPA members at the conference.
    • The GPA, formerly known as the International Conference of Data Protection and Privacy Commissioners, is the leading international forum for over 130 data protection authorities from around the globe to discuss and exchange views on privacy issues and the latest international developments.