Holst, Advokater: GDPR Decisions from January 2020

Henrik Christian StrandAssociate Partner, Holst, Advokater

Italian company fined EUR 5 million for telesales without any consent and illegal conclusion of contract 

On the basis of complaints from a number of citizens, the Italian Data Protection Agency imposed two fines on Eni Gas e Luce amounting to EUR 8.5 million and EUR 3 million, respectively.

The first fine concerned the unlawful processing of personal data in connection with telephone sales. Without having the necessary consent, Eni Gas e Luce approached a number of people for sales purposes, including those who had specifically insisted on not being approached.

The other fine concerned the conclusion of contracts without the persons actually accepting the contract. A number of complainants stated that they only became aware of the concluded contract when receiving a termination from their former energy suppliers or when receiving the first bill from Eni Gas e Luce. In some cases, the complainants also described how signatures had been forged in the contracts.

The decision is the second fine issued by the Italian DPA since the GDPR came into force. The first fine (amounting to EUR 50,000) was issued in April 2019  to the online platform Rousseau.

H&M to expect fine for keeping comprehensive records on employees’ personal data

The DPA in Hamburg has initiated a fine procedure against H&M after having investigated 60 GB data material proving to contain numerous records on employees’ confidential personal data. 

The records included information on past holiday experiences, an impending divorce, sex partners and about menstrual problems. Apparently, the records were a result of both personal interviews between the actual employees and their superiors, and other conversations in the office or made during smoking breaks.

As H&M does not have any legal basis for possessing such information – for example in the nature of a consent – it is contrary to the GDPR to be in possession of the information.

The DPA in Hamburg has expressed that they have not in a long while seen such serious violation of the GDPR, and H&M have stated that they take the matter very seriously and that they shall continue to cooperate with the supervisory authorities and make all measures in order to prevent a similar situation again.  

Serious criticism of EG A/S for “forgetting” to mention a sub-data processor in a sub-data processor agreement

In accordance with the GDPR requirement for a sub-data processing agreement, a Danish Municipality concluded a data processor agreement with company “Ejerkredsen ØS Indsigt”, while a sub-data processor agreement was concluded between Ejerkredsen ØS Indsigt and EG A/S.

From the sub processor agreement it was stated that EG A/S could not conclude a sub processor agreement themselves, unless such was set out in the agreement. Nevertheless, since the conclusion of the agreement on 1 November 2018, EG A/S had used the support system ServiceNow without such system being mentioned in the agreement as an approved sub-data processor.

This came to the knowledge of the Municipality of Herning on 20 August 2019, who reported the incident as a violation of the GDPR, since personal data without any legal basis in the agreement had been made available to unauthorized persons. The breach comprised data on name, birth date, contact information and personal ID number of about 500 citizens.

On the basis of the notification, the DPA expressed their criticism of EG A/S using ServiceNow as a sub-data processor contrary to the sub-data processor agreement. It was taken into consideration that a large number of citizens were involved, that the data comprised citizens’ personal ID numbers, and that in connection with the transfer to ServiceNow, a potential risk of transferring to insecure third countries had been made.

Most interesting was that the DPA in its decision did not take into account that EG A/S had stated in its tender to Ejerkredsen ØS Indsigt that ServiceNow would be used as a sub-data processor, and that according to EG A/S it was only a mistake that ServiceNow had not been mentioned in the sub-data processor agreement. 

Danish Labour Market’s Holiday Fund subject to serious criticism

Under the GDPR, a company must on its own initiative inform the data subject about numerous circumstances pertaining to the data processing. This must be done in a way where the data is gathered together and given all at once and in a concise, transparent, easily accessible and easily understandable way. 

The DPA stated serious criticism towards the Danish Labour Market’s Holiday Fund that data had been given bit by bit to a citizen over several months instead of all at once. Also, the data was not given no later than at the time of the first communication with the data subject, which the GDPR actually prescribes.

The DPA also criticised the Labour Market’s Holiday Fund for requesting a consent from the same citizen for processing the citizen’s data although the Fund had another legal basis. This is a change in the DPA’s former perception, according to which a consent was not ruled out as a legal basis for processing, although another legal basis for processing was applicable.  However, the new perception reconciles with the Greek interpretation of legal basis for processing.


Contributing Advisors

Anders HedetoftPartner, Attorney-at-law, Holst, Advokater