SANCTIONING PRACTICES
ANSPDCP (Romanian DPA)
CCTV system used for disciplinary sanctioning of employees – controller fined EUR 5,000
FACTS
The controller accessed the existing video surveillance system at one of its work points and illegally processed the image of its employees, including for the purpose of their disciplinary investigation, thus violating the principles of processing and the conditions of lawfulness of processing.
WHAT SHOULD YOU DO?
- Do not use video surveillance systems for disciplinary purposes without a clear legal basis and prior notice. The processing of employees' images for the purpose of disciplinary investigation must be based on a distinct legal basis (e.g. well-founded legitimate interest) and must be expressly mentioned in the information provided to employees.
- Review internal CCTV policies and implement clear organisational measures. Establish written procedures governing who has access to the videos, under what conditions, and for what purposes. Video surveillance cannot be used arbitrarily.
Illegal transborder processing– controller fined EUR 12,000
FACTS
After notifications from two EU authorities, the DPA investigated a controller with its main headquarters in Romania, finding several irregularities, in relation to incomplete information provided following the exercise of the right to access and the failure to meet a condition regarding the lawfulness of the processing.
WHAT SHOULD YOU DO?
- Respect the right of access and provide complete and clear information. According to Articles 15 and 14 of the GDPR, data subjects have the right to receive clear, transparent and complete information about the processing of their data. Ignoring these obligations or submitting incomplete responses may lead to sanctions, especially in the context of cross-border processing.
- Ongoing staff training is essential for compliance. Staff must be regularly trained in responding to data subject requests and correctly identifying the legal grounds for processing.
CNIL (French DPA)
Marketing company fined for unsolicited marketing messages – controller fined EUR 900,000
FACTS
The company in question carries out, on behalf of other companies, marketing campaigns by SMS and email. These campaigns are based on the fact that the fined company bought data sets from several brokers, who in turn collected them on the basis of competition forms or tests on various products carried out online. The Authority considered that there can be no talk of freely expressed consent for marketing for the data collected by these brokers. The fined company could not even prove the collection of consent from the data subjects.
WHAT SHOULD YOU DO?
- Thoroughly check the source and validity of consent before using data acquired from brokers. Consent for direct marketing must be specific, informed and freely expressed. Mere participation in competitions or tests does not justify further processing for promotional purposes.
- Keep clear evidence of consent for each data subject. You must be able to demonstrate, at the request of the DPA, that each contact used in SMS or email marketing campaigns has given valid consent.
GPDP (Italian DPA)
AI provider sanctioned after the service was totally blocked in 2023 – controller fined EUR 5,000,000
FACTS
The operator of a chatbot was fined (and then a further investigation was started regarding the processing of data by the AI system at the base of its service) for the lack of a legal basis for processing, for the inadequacy of the age verification system. The fine comes after, in 2023, the chatbot was totally blocked after the same problems were reported to the controller.
WHAT SHOULD YOU DO?
- Ensure a clear legal basis and a complete and up-to-date privacy policy. Any processing of personal data through AI-based services – such as interactive chatbots – must be based on a valid legal basis (e.g. consent, legitimate interest).
- Implement effective age verification mechanisms if you exclude minors from using the service. The mere mention that minors cannot access the service is not enough. Real technical controls are required for age verification, both at registration and during use.
Energy companies conduct aggressive telemarketing – controllers fined EUR 3,850,000
FACTS
An energy supplier (electricity and gas) and several companies involved in obtaining contracts were fined for aggressive telemarketing practices and illicit processing of personal data. The energy supplier was fined EUR 3 million. The controller obtained lists of users who had recently changed their energy supplier from the other companies involved in this agreement. Then the people concerned were called, invoking false technical problems generated by the change of suppliers. Users were persuaded to accept a contract with the operator by inducing fear.
WHAT SHOULD YOU DO?
- Avoid manipulative telemarketing tactics and collecting data from uncertain sources. The processing of data for marketing purposes must comply with the principles of legality, transparency and fairness. Obtaining customer lists through opaque agreements between companies and contacting them with false information constitutes a serious violation.
- Check the legal basis and origin of the data before initiating commercial campaigns. It is essential that any contact list used for marketing has a clearly documented provenance and a valid legal basis (e.g. explicit consent).
DPC (Irish DPA)
Company behind TikTok transfers SEE users' personal data to China – controller fined EUR 530,000,000
FACTS
The Irish DPA was responsible for this cross-border investigation, which found that EEA user data was stored on servers located in China, although Bytedance had assured the DPA that this was not the case. Transfers to China do not provide an adequate level of protection for the personal data concerned.
WHAT SHOULD YOU DO?
- Effectively monitor the actual location of data and respect commitments to authorities. Simply committing that data will not be transferred outside the EEA is not enough. Companies must actively check where the data is actually stored and strictly comply with the declarations made to the supervisory authorities.
- Avoid transfers to third countries without adequate safeguards. Data transfers to countries such as China, which do not benefit from an adequacy decision from the European Commission, require additional safeguards (e.g. standard contractual clauses + additional technical measures).
LEGISLATIVE UPDATES AND GUIDELINES
CNIL (French DPA) analyses the use of augmented CCTV for automated checkouts
As certain companies want to implement augmented cameras for the surveillance of automatic checkouts, CNIL has analysed this practice from the perspective of data processing, having the following observations:
- The main recommendation is that this use should be tested in real conditions in the first phase to verify the technical effectiveness, the results regarding the deterrent effect and the impact on the data subjects.
- The processing cannot be considered anonymous. The link between the filmed person and the processing does not disappear because the person can be identified based on the images.
- The processing may be based on a legitimate interest of the controller, provided that the device can be proven to be necessary for the purpose pursued and that the rights of data subjects are not disproportionately affected by measures such as: limitation of the scope and duration captured, clear information to customers and the non-use of data for profiling.
- Other measures include: the right to object of the data subjects that can be exercised by choosing a checkout without augmented cameras, documenting the legitimate interest for the processing for the purpose of improving the algorithm and ensuring a way in which the data subject can object to the latter.
AP (Dutch DPA) issues GDPR prerequisites for generative AI
- Organisations using generative AI models must provide clear explanations of how personal data is processed, including how training data is used and system-generated outcomes.
- It is essential that the personal data used to train or operate AI models is reduced to what is strictly necessary. Anonymisation and pseudonymisation should be applied where possible.
- The processing of personal data by AI systems must be based on a clear legal basis according to the GDPR (e.g. consent, legitimate interest, etc.). The lack of an explicit legal basis is a serious violation.
- For generative AI systems that involve high risks to the rights of data subjects, the realisation of a DPIA is mandatory before implementation.
- AI providers and users must ensure effective human control over the results generated by the system. It is not allowed to make fully automated decisions that have legal or similar effects without proper human evaluation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.