EU Data Protection fines & Updates, November 2019

In this weeks blog we look at four articles covering a fine issued by the Polish DPA for €645,000 against an online retail company, an update on your position with using electronic signatures – watch out for your email signatures? Facebook settling a £500,000 penalty, without guilt for unfairly processing personal data of 87 million users and finally a bit of a hot topic, the requirements of appointing an EU and/or a UK representative.

If you would like more information on the requirements of a representative and to take advantage of our free assessment of need, please contact us.

Our blog ends with the latest fines from around Europe, continue reading to find out.

Polish DPA issues largest fine for Insufficient Security and Organisational Measures

Further to the Facebook and Tesco scandals, and the apparent statistic increase of enforcement fines issued, the Polish Data Protection Authority has issued a landmark fine of €645,000 against online retail company morele.net for insufficient security and organisational measures violating data confidentiality and integrity principles prescribed in the EU’s General Data Protection Regulation.

In particular, insufficient technical security measures, inadequate authentication methods and a lack of additional security solutions were attributed to the theft of information relating to over 2.2 million natural persons registered in the databases of the specified retailers.

Update on the Law on Electronic Signatures

Last month the Law Commission published its Report on the electronic execution of documents. Although the law in England and Wales has always recognised a range of signatures – including initials, pictures and printed names – the emergence of digital “smart contracts” in recent years has led to uncertainty about what constitutes a valid method of signature, and in particular, the legal status of electronic signatures.

The Report concluded that ‘in most cases’ electronic signatures will be legally binding for any document, including deeds, provided that the signatory intended for it to be so. However, the Law Commission has reaffirmed the legal requirement for the physical presence of a witness where the document requires it, curbing speculation that remote witnessing, such as via Skype, would be a natural progression in the law on electronic signatures.

Nonetheless, the general validity of electronic signatures has ramifications which businesses should be aware of to avoid entering into contracts inadvertently. For example, in Neocleous v Rees [2019] it was held that the automatic generation of a name and contact details in the footer of an email chain was capable of concluding a contract which had been formed over a series of emails.

In that case, a dispute over a right of way was settled by the parties’ solicitors in an email chain. The Claimant successfully sought specific performance in relation to the compromise agreed between the solicitors. The Court found that the solicitor had agreed to the compromise agreement on behalf of their client because of the inclusion of their name in the footer of the email chain which amounted to an electronic signature.

Businesses should therefore consider the implications of their name and contact details being included in an email footer when negotiating agreements with their suppliers and customers. A clear disclaimer should be included in the email footer to prevent the accidental formation of a contract. This is particularly important since email footers are often automatically populated.

Email footers are not the only method of signing that businesses should review. The use of tick-boxes, unique PIN numbers or secure passwords provided to customers or suppliers are all now potentially valid forms of signing a contract. Businesses should therefore review their processes around these methods to make sure that, where contracts are being concluded, appropriate terms and conditions have been incorporated.

U.K. ICO and social media company settle privacy investigation

On October 30, the U.K. Information Commissioner’s Office (ICO) announced an agreement reached between the ICO and a social media company that resolves an investigation into the company’s alleged misuse of personal data. The company has agreed to withdraw its appeal of the £500,000 penalty issued last year under section 55A of the Data Protection Act 1998 (DPA) and settle the case without an admission of guilt. The investigation stems from a data incident affecting upwards of 87 million users worldwide that included the processing of personal data about U.K. users in the context of a U.K. establishment. According to the ICO, the company violated principles of the DPA by (i) unfairly processing personal data; and (ii) failing “to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data.” The ICO published a statement by the company’s associate general counsel in which he noted that the company has “made major changes” to its platform that significantly restricts the information accessible to app developers, and that protecting people’s information and privacy is a top priority for [the company].” 

Do you need to appoint an EU Representative, a UK Representative or both?

As Brexit uncertainty continues, organisations are still considering their options with respect to data protection in the event of a no-deal Brexit. A ‘no-deal’ Brexit will generate a number of data protection concerns and necessary actions for organisations across industries, including the appointment of an article 27 representative in the UK and/or the EU.

What is ‘a representative’ and who does it apply to?

A representative is a local point of contact for the organisation they represent, who can communicate with individuals and data protection authorities on behalf of the organisation in relation to data protection matters.

The GDPR requires organisations not established in the EU to appoint a representative in an EU member state, if the organisation monitors the behaviour of individuals in the EU, or if it is apparent that the organisation intends to offer goods or services to individuals in the EU. Following Brexit, organisations in the UK will be subject to the same requirements, as they will no longer be established in the EU.

In addition to this, in the event of a no deal Brexit, organisations not based in the UK who are offering goods or services to individuals in the UK or monitoring their behaviour will be required to appoint a UK representative, in order to comply with UK data protection law. This has been confirmed by the Information Commissioner’s Office, which has stated that ”the UK government intends that after UK leaves the EU, the UK GDPR will require organisations located outside of the UK, but which still have to comply with the UK GDPR, to appoint a UK representative”.

What does this mean in practice for organisations?

Currently, organisations based in the UK do not require a representative in the EU and organisations established in other EU countries do not need a representative in the UK.

Following Brexit, this will change:

• Organisations established outside the EU and the UK: currently, these organisations require one representative based in the EU. Following Brexit, these organisations may need an additional representative. If the organisation’s current representative is based in the UK, but the organisation sells to or monitors individuals in the EU, an additional EU representative will be required to comply with the GDPR. If the organisation’s current representative is based in another EU member state, but the organisation sells to or monitors individuals in the UK, a UK representative will be required to comply with UK law.

Alternatively, it may prove cost-effective to appoint an outsourced representative with establishments in both the EU and the UK which can act on the organisation’s behalf in both cases.

• Organisations established in the UK: organisations established in the UK but which offer goods or services to, or monitor, individuals in the EU will need to appoint a representative in an EU country following Brexit.
• Organisations established in other EU countries: organisations established in the EU but not in the UK, which offer goods or services to, or monitor, individuals in the UK will need to appoint a representative in the UK following Brexit. This will be needed in order to comply with UK law.

What do you need consider when appointing an EU and/or a UK representative?

• Assess where you need a representative (UK and/or EU) considering your current and future business operations
  • Consider whether your business foresees an expansion which will lead to a new market. Will you need a representative in the UK and/or the EU as a result of this?
• Find the best business option to minimise the cost of appointing representative(s) (e.g. a representative located in the jurisdiction required).
  • While a UK representative is relatively straightforward in terms of the representative’s location, non-EU organisations will need to assess carefully when choosing where to appoint their EU representative.
  • Representatives should be located in a jurisdiction in which there are individuals whose data is being processed, but if the individuals are located in multiple countries the organisation will need to make a choice about where to appoint them. In many cases this will not be an obvious choice and a business and legal analysis will be needed to assess where a representative can most effectively fulfill their role.
  • If an organisation processes data from individuals in multiple EU countries, the representative must remain easily accessible to the individuals in all those countries, and must be able to communicate in the language used by the individuals and supervisory authorities of each of those countries.

An outsourced representative with an international presence will make it easier to have a representative easily accessible to individuals and supervisory authorities in different countries, with the language skills required to communicate with them

Fines from around Europe

Let’s take look at the fines issued in Europe due to insufficient data protection.

Data Protection Authority of Baden-Wuerttemberg

2019-XX-XX

€80,000 – Unknown – Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

A company in the financial sector had improperly disposed personal data.

Cyprian Data Protection Commissioner

2019-XX-XX

€14,000D – octor – Art. 5 GDPR, Art. 6 GDPR Insufficient legal basis for data processing

A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,000 was imposed on the hospital.

Data Protection Authority of Baden-Wuerttemberg

2019-XX-XX

€80,000 – Unknown – Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

In a digital publication, health data was accidentally published due to inadequate internal control mechanisms.

Data Protection Authority of Berlin

2019-10-30

€14,500,000 – Deutsche Wohnen SE – Art. 5 GDPR, Art. 25 GDPR Non-compliance with general data processing principles

The company used an archiving system for the storage of personal data of tenants that did not provide for the possibility of removing data that was no longer required. Personal data of tenants were stored without checking whether storage was permissible or even necessary. It was therefore possible to access personal data of affected tenants which had been stored for years without this data still serving the purpose of its original collection. This involved data on the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data as well as bank statements. In addition to sanctioning this structural violation, the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases.

Spanish Data Protection Authority (aepd)

2019-10-25

€36,000 – VODAFONE ESPANA, S.A.U.Art. 5 GDPR, Art. 6 GDPR Insufficient legal basis for data processing

The claimant, whose data had been provided to the company by his daughter, as authorised by him, received a call from the company offering its services, which he refused. However, Vodafone España proceeded to providing him services and seeking payment from him, so Vodafone España had processed the claimant’s personal data without his consent.

References:

• https://www.cyberwatchaustralia.com/2019/10/insufficiency-meets-punishment-polish-dpa-issues-largest-fine-for-insufficient-security-and-organisational-measures/
• https://www.boyesturner.com/article/an-update-on-the-law-on-electronic-signatures
• https://buckleyfirm.com/blog/2019-11-01/uk-ico-and-social-media-company-settle-privacy-investigation#page=1
• https://www.twobirds.com/en/news/articles/2019/uk/article-27-representative–do-you-need-to-appoint-an-eu-representative-a-uk-representative-or-both