The Bavarian State Office for Data Protection Supervision (BayLDA) has issued the Activity report for year 2019 published – below are references to some of the points raised in it (selection):
Complaints and consultations
First of all, 2019 was again a sharp increase in complaints and “control requests” (reports of data privacy violations by persons not affected by them), which are received faster than they can be processed:
In contrast, the Consulting volume dropped sharply after a 2018 spike, possibly due to resources available online:
What also increased sharply were the Data protection breaches:
Staffing in comparison with the FDPIC
Personnel development at BaylDA is also interesting:
- Until 31.12.2016: 16 positions
- Until 31.12.2017: 20 positions
- Until 31.12.2018: 24 positions
- Until 31.12.2019: 33 positions
For comparison the Personnel development at the FDPIC according to its last activity report, as far as the area of DPA (excl. BGÖ) is concerned:
- 2005: 22 digits
- 2010: 23 digits
- 2018: 24 digits
- 2019: 24 digits
The FDPIC therefore currently has around 27% fewer posts in the area of data protection (excl. BGÖ) than the BayLDA. However, Bavaria has nearly twice as many inhabitants as Switzerland. At the same time, unlike the FDPIC, the BayLDA deals exclusively with private data protection (for public bodies, another authority is responsible, the State Commissioner for Data Protection).
It may be further assumed that the activities of the FDPIC within data protection (excl. BGÖ) may result in 35% the private sector concerns.[mfn]Based on the 2019 activity report. In the area of consultation, the private sector accounts for about half of the effort, but some DPA activity areas concern only the public sector, e.g., participation in legislation or cooperation with the cantons. However, the activity report does not break down the activities as a whole between the private and public sectors, and some figures appear contradictory.[/mfn] According to this, the FDPIC has at its disposal for the private sector has approximately the same staffing as the BayLDA for comparable areas of responsibility, but probably with considerably fewer tasks, since the FDPIC today has no authority to issue orders and also has few data protection breach notifications to deal with in the private sector. Perhaps this explains why the FDPIC, despite the scarcity of resources[mfn]The FDPIC has been promised a total of ten additional positions, but these have not yet been approved[/mfn], takes the time to also deal with tasks in the private sector that do not actually fall within his area of responsibility, but – not out of dogmatic, but out of legal policy concerns – are assigned to the consumer protection close to home are to be attributed to. This includes, for example, the demand for transparency in constellations involving anonymous data, as well as the (legally unfounded) concern that consent is required when processing personal data requiring special protection and personality profiles. In any case, it would also be interesting to publish the average tasks per employee or per position, as the BayLDA does.
The FDPIC’s call for more resources is nevertheless not unjustified (in any case, data protection is helped more by enforcing the DPA than by merely tightening the law), but it would meet with more understanding if the FDPIC were to place more emphasis in its activities on delineating its activities along the scope of the DPA and were to proceed in an equally risk-based manner, as is required of data processors – and place less emphasis on perceived data protection and consumer protection, on the panacea of awareness-raising, and on responding to reports by the media and certain activists with political concerns. Media coverage and public interest are not the same thing, and the stronger the response to media reports, the greater some risk of instrumentalization and thus a threat to independence.
Controls and tests
- In this area, the BayLDA has focused on, among other things. Cybersecurity and online tracking focused because these topics were more frequently the subject of complaints (i.e.: what is visible to the outside world is not surprisingly more likely to be the subject of complaints). In this regard, the BayLDA states:
Although we only use websites of larger companies, some of which are listed on the stock exchange, with regard to long-established Safety requirements examined, we found that numerous shortcomings were in place. The security measures taken often had to be classified as inadequate. […] Also in the area Tracking The result of our audit was desolate out: None of the websites audited met the requirement for permissible consent under the GDPR, even though the websites had integrated third-party tracking tools and thus initiated data processing by third-party services.
Further details on these audit results can be found here.
- In the area of Accountability (“Accountability”; Art. 5 (2) DSGVO; without counterpart in the E‑DSG), the BayLDA states:
Despite this and the numerous publications by the supervisory authorities as a whole, many responsible parties were overwhelmed in terms of accountability. Some companies thought it was enough to print out the website’s privacy policy to the supervisory authority or declare, “Advertising is a legitimate interest and
that’s why you’re allowed to do that”.To the necessary evidence belonged rather:
- Directory of processing activities (Art. 30 DS-GVO),
- Data protection impact assessment (Art. 35 GDPR),
- approved rules of conduct (Art. 40 GDPR),
- Certification (Art. 42 GDPR),
- Data breach notifications (Article 33 of the GDPR) and
- Contracts for commissioned processing (Art. 28 (3) DS-GVO)
In addition, accountability could through other data protection documentation take place, e.g. through this:
-
- Contract Management
- Concepts for ensuring the rights of data subjects
- Processes of the data protection organization
- Introduction of data protection guidelines
- Internal or external audits
- Employee training
- Legal opinion
- Certifications according to DIN and ISO standards
- Other records such as reports, memos, or minutes.
The BayLDA test catalog for accountability and thus a good checklist for the implementation of the GDPR can be found here: Link.
Affected rights
“No-Gos” in the Right to Information
With reference to the right to information, the BayLDA first notes the following “no-goes” of the responsible parties, but also of the applicants:
- Responsible:
- Ignoring requests for information when identity is in doubt;
- Information about exclusively master data as personal data;
- Invocation of disproportionate effort without explanation of the circumstances;
- Person concerned:
- Submission of the complaint by the data subject before the expiry of the processing period;
- Disregarding the purpose of the right to information – here the BayLDA explicitly states “The right to information is intended to Exclusively data protection goals be pursued. This right shall not for the collection of evidence serve for other existing conflicts.” In Switzerland, this point is not yet entirely clear, despite the CS ruling by the Federal Supreme Court. It would not be surprising if the courts are called upon to provide further clarification here in the future;
- Assertion of the right to information against the lawyer of the other party;
- Complaint without probative evidence.
Staged information in the case of blanket requests for information
With reference to the duty of insurance companies to provide information, but in substance generally valid for controllers with extensive processing activities (and also correct for Switzerland), the BayLDA states that the duty of insurance companies to provide information is not limited to the policyholder’s master data, but that in the case of blanket requests for information, it is permissible in to provide information only about the master data in a first step. Further information shall only be provided if the request for information is specified accordingly by the policyholder.
Data protection on the Internet
Facebook Fan Pages
The BayLDA succinctly states,
According to the current status, operators of Facebook fan pages have No possibility to operate them in a data protection compliant manner and must therefore expect to be the addressee of orders issued by the supervisory authorities.
Without sufficient knowledge of the processing activities, the operator of the Fanpage cannot assess whether they are carried out lawfully.
As long as Facebook does not improve this situation, it is not possible to operate a fan page in compliance with data protection laws, despite the “Page Controller Addendums“of Facebook (the agreement within the meaning of Art. 26 of the GDPR – for further information see. here).
Tracking Tools
As mentioned, the BayLDA placed great emphasis on the use of tracking tools on the Internet during the audits. Here is the “Guidance from the supervisory authorities for telemedia providers” (as of March 2019) must be observed. Regarding Google Analytics, the opinion of the BayLDA is as follows:
For example, the so-called “data release” to Google is activated by default. Taking into account the “Guidance for Telemedia Providers”, this means the following: If the website operator grants Google the option to share the website visitors’ data with for own purposes to use, this requires a Consent of the user.
Advertising and address trading
In 2019, the BayLDA’s attention was drawn several times to banks that also process customer data to create extensive advertising profiles, including on the basis of data from advisory discussions and usage data from online banking and banking apps, data from ongoing contracts and payment transaction data. This processing was in each case based on a balancing of interests pursuant to Art. 6 (1) f DSGVO.
However, it cannot generally be assumed that the promotional interests of the credit institution outweigh the legitimate interests of the customers in excluding processing in the case of such comprehensive profiling. Therefore, we are of the opinion that such processing only in conjunction with the consent of the customer is to be implemented in a legally compliant manner.
This is especially true
with regard to the evaluation of payment transaction data, which is practiced in some cases, since, for example, the information on the purpose of use from credit transfers and direct debits often also special categories of personal data (e.g. when paying membership fees to political parties and trade unions or settling medical bills). In the case of this type of particularly protected data, Art. 9 DS-GVO generally prohibits it from being processed on the basis of a balancing of interests within the meaning of Art. 6 (1) (f) DS-GVO.
However, one could also have asked whether special categories of data are actually processed if raw data are used which allow correspondingly protected findings, but if the raw data are not used with regard to this meaningfulness (e.g. if no customer category “politically liberal” or “case of illness” is formed). Article 9 (1) of the GDPR does not necessarily exclude this view, which is why it is recognized, for example, that employee photos are not to be regarded as health data, even for people who wear glasses, as long as they are not evaluated with regard to this characteristic.
International data traffic
The following statements can be found regarding the Privacy Shield:
It should also be pointed out that the Privacy Shield, at least indirectly, also Subject of a reference procedure currently being heard by the European Court of Justice (“Schrems II”) [dazu here] is, in which for the a ruling can be expected in the first months of 2020 is. Even if the specific proceedings do not directly concern the validity of the Privacy Shield decision, it cannot be ruled out that the ECJ in its judgment may also relevant statements on the Privacy Shield could meet. Even a Invalidation of the Privacy Shield by the ECJ in the context of the upcoming ruling cannot be completely ruled out, at least according to some observers. In the context of the aforementioned proceedings heard by the ECJ (“Schrems II”), the ECJ is called upon, based on a referral from the highest court in Ireland (Irish High Court), to rule on the Validity of the EU standard data protection clauses for transfers to processors (Commission Decision 2010/87/EU of 15.02.2010).
Employee data protection
In the area of employee data protection – which is particularly strongly influenced by national law – the BayLDA states the following regarding access to e‑mails of employees who have left the company:
If, as in the specific case at hand, the private use of the Internet and e‑mail is prohibited, the permissibility of the employer’s access to the e‑mail box of the employee who has left the company is governed by Section 26 (1) sentence 1 BDSDG. Accordingly, the employer’s handling of employee data for purposes of the employment relationship is permissible if it is necessary for the performance or termination of the employment relationship. The employer is entitled to the official e‑mails, so that he can dispose of them after the employee concerned has left the company. In addition, if e‑mails from the mailbox are required for the further processing of business transactions, the employer must be able to access them. Should he access an e‑mail with private content However, he would not be allowed to take note of them and would either have to pass them on to the employee who has left the company or to the employee who has left the company. Transmit or delete. In such a case, the consent of the employee who has left the company is not required.
Data security
Data protection breaches
The trend that began nbach the entry into force of the GDPR has continued in 2019 – the number of data breach notifications continues to rise sharply. The most common categories relate to cyberattacks, encryption Trojans, malware, loss, theft, software and posting errors, and mis-dispatches. Well over half of reported data breaches, however, involve circumstances that are
have a rather “normal” risk for the affected individuals and where often no further remedial action needs to be taken by BayLDA. However, cyberattacks can pose significant harm to victims, which is why BayLDA has decided to focus on
“Cybersecurity” to be pursued further and expanded as far as possible.
E‑mail communication between professional secrecy holders and data subjects
Lawyers and other professional secrecy holders often communicate with the secrecy owner by e‑mail. which is also permissible under Art. 6(1)(f) DSGVO (legitimate interest in efficient processing). However, according to Art. 32 DSGVO, professional secrecy holders must
In our opinion, when sending e‑mails, it is essential to ensure the presence of an Transport encryption pay attention. With a high risk for the rights and freedoms is additionally a Content encryption (for example, using PGP or SMIME).
This shows, among other things, that the fact of professional secrecy protection alone does not mean that all secrets are to be considered high-risk, but that the data protection law criteria of risk are to be applied unchanged to personal data protected by secrecy.
With Consent of the data subject, content encryption can also be waived for high-risk data, whereby the consent of all data subjects is required.
In addition, content encryption is always required when the recipient’s email provider encrypts email content. evaluates for advertising purposes.
Fining procedure
In 2019, the BayLDA has issued a Central Fines Office (ZBS) created. The two people in the ZBS work exclusively in this area.
In 2019, the BayLDA completed approximately 100 fine proceedings, one with a fine under the GDPR (no longer because old law applies to violations committed under old law under the favorability principle).