{"id":78762,"date":"2025-02-27T09:48:13","date_gmt":"2025-02-27T08:48:13","guid":{"rendered":"https:\/\/www.lexxion.eu\/?post_type=dpi&p=78762"},"modified":"2025-02-27T09:48:13","modified_gmt":"2025-02-27T08:48:13","slug":"data-protection-insider-issue-128","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-128\/","title":{"rendered":"Data Protection Insider, Issue 128"},"content":{"rendered":"

-CJEU: Broad Interpretation of \u2018Undertaking\u2019 When Calculating Fines-<\/strong><\/a><\/h3>\n

On 13th<\/sup> February, the CJEU ruled that when the maximum amount for fines for GDPR infringements are calculated, \u2018the undertaking\u2019s total worldwide annual turnover in the preceding business year\u2019 has to be taken into account, irrespective of whether the fine is imposed by a DPA or by a criminal court, in ILVA A\/S<\/em><\/a>. As to the facts of the case, ILVA (furniture store chain) is part of a larger group (Lars Larsen Group). The former had breached the GDPR by not protecting adequately the personal data of about 350 000 former customers. Under Danish law, the DPA may not impose administrative fines. It may initiate them, but they are eventually imposed by a criminal court. In casu<\/em>, the proposed fine was based not only on ILVA\u2019s total turnover, but also that of the Lars Larsen Group. The dispute in the main proceedings concerns the interpretation of Article 83(4)-(6) GDPR, more specifically how the term \u2018undertaking\u2019 should be interpreted for the purposes of calculating a GDPR fine. The CJEU ruled that the term \u2018undertaking\u2019 should have the same meaning as under Articles 101 and 102 TFEU (competition law). The CJEU clarified that, as a result, when calculating the maximum<\/em> amount of fines under the GDPR, national authorities should take into account the turnover of the group to which an undertaking belongs. The CJEU recalled that, when calculating the actual<\/em> fine in each case, though, regard must be had, amongst others, to \u2018the nature, gravity and duration of the infringement; the number of data subjects affected and the level of damage suffered by them; the intentional or negligent character of the infringement; the actions taken by the controller or processor of personal data to mitigate the damage suffered; the degree of responsibility of that controller or processor; and the categories of personal data affected by the infringement\u2019. Finally, the CJEU established that the above considerations are without regard to the fact whether the fine is of administrative or criminal nature.<\/p>\n

-ECtHR: Georgia Does Not Adequately Protect the Confidentiality of Lawyers\u2019 Communications-<\/strong><\/a><\/h3>\n

On 18th<\/sup> February, the ECtHR ruled that Georgian law does not provide sufficient safeguards against abuse when recording the telephone conversations of a company lawyer in Romanchenko and Kharazishvili v. Georgia<\/em>.<\/a> As to the facts of the case, the applicants are a married couple. The wife was the lawyer of a company, which was suspected of illegal trade activities and against which a criminal investigation was opened. Her husband was also suspected of having links to criminal activities. In the framework of the investigation, the prosecutor ordered the interception and recording of their conversation (including also of other individuals). The applicants complained that the measures were in breach of their Article 8 ECHR rights. The Court ruled first that the measures, according to established case law, constitute an interference with Article 8 ECHR. Then, it moved on to examine whether the measures were justified. It ruled first that the measure had a basis in domestic law and that the legal basis was accessible to the applicants. Since the matter concerns the question of covert surveillance, the Court decided to focus primarily on the question of whether there were enough safeguards against abuse, which the Court decided to examine under the requirements of both \u2018quality of the law\u2019 and \u2018necessity\u2019. The Court noted that \u2018the judge dealing with the prosecutor\u2019s surveillance application in the present case checked only whether the formal requirements had been satisfied, without taking into consideration the substantive material in support of the application. It is simply unclear to what extent the judge concerned examined the material submitted in support of the prosecutor\u2019s application, as the court order, in justifying the measure, neither made any reference to the specific facts of the case nor provided any specific reasons concerning those facts. This also concerns the operational information \u2026that was purportedly included in the case file submitted in support of the prosecutor\u2019s surveillance application\u2026. The Court cannot but note that the covert investigative measure was simultaneously ordered in respect of eight individuals within the scope of one single court order, without any individualised reasons. The court order therefore gave no relevant and sufficient reasons based on reliable information that had been purportedly provided in support of the requested covert investigative measure\u2019. In addition, the Court was also disturbed by the fact that the domestic authorities did not acknowledge and take account of the fact that the first applicant was a practising lawyer and that her communications were subject to a special level of confidentiality. Thus, the Court concluded that the interference was not in accordance with domestic law and was not \u2018necessary in a democratic society\u2019, and that there was a violation of Article 8 ECHR.<\/p>\n

-ECtHR Rules on Covert Surveillance-<\/strong><\/a><\/h3>\n

On 13th<\/sup> February, the ECtHR decided in the case of Denysyuk and Others v. Ukraine<\/em>. <\/a>In terms of the facts, the case essentially concerns a series of applicants who were subject to covert surveillance measures by the Ukrainian state. These measures included telephone taps, and video and audio surveillance. A final applicant was a lawyer involved with the aforementioned applicants who was concerned that interactions with clients might also have been subject to the covert surveillance measures, despite lawyer-client privilege. Whilst complaints were submitted to the Court under several Articles, only the Article 8 complaints will be considered here. The first set of applicants complained to the Court that \u2018the covert investigative measures of which they had been notified\u2026had breached their rights guaranteed by Article 8 of the Convention, having regard, in particular, to the alleged lack of adequate safeguards in the applicable law and the practical means of implementing it in their respective cases\u2019. The final applicant complained to the Court that \u2018his Article 8 rights had been compromised, as the domestic law applicable to covert interception of telephone communications lacked adequate safeguards protecting his privileged communications with clients\u2019. With regard to the first set of applicants, the Court found a violation, specifically highlighting that the interference \u2018was not \u201cin accordance with the law\u201d for the following reasons: (i) lacking access to the judicial decisions authorising the disputed measures, the Court\u2019 could not \u2018conclude that they were ordered \u201clawfully,\u201d including regarding the requirement to conduct a prior \u201cnecessity\u201d assessment of those measures; (ii) in the course of the implementation of the disputed measures, the applicants\u2019 communications with their lawyers were not sufficiently protected by specific and detailed rules and procedures defining how such communications should be identified and handled in the event of having been intercepted accidentally and because there was no independent oversight authority with sufficient competence to protect the applicants from abuse or mistakes by the law-enforcement officers; and (iii) the applicants could not obtain sufficient information and documents for challenging, in a meaningful way, the legality and necessity of the disputed measures after their completion and did not have at their disposal an effective domestic procedure for the determination of the core of their Article 8 complaints in good time\u2019. With regard to the final applicant, the Court also found a violation. The Court again highlighted the deficiencies with safeguards in domestic law identified in relation to the other applicants. The Court also highlighted that \u2018according to its settled case-law, an individual whose communications have been accidentally intercepted in the course of a surveillance operation targeting another person should have the possibility of vindicating his or her relevant Article 8 rights by resorting to an appropriate domestic remedy\u2019 and that it is \u2018not apparent from the material in the present case or from the Government\u2019s observations that the fourth applicant, as a person potentially randomly affected by the interception of his telecommunications, had any mechanism at his disposal for verifying the veracity of his allegations and the lawfulness and necessity of the authorities\u2019 actions\u2019.<\/p>\n

-ECtHR Rules on Provision of Telecoms Data to Tax Authorities-<\/strong><\/a><\/h3>\n

On 13th February, the ECtHR ruled in the case of <\/a>Macharik v. the Czech Republic. <\/em><\/a>In terms of the facts, the case concerned the provision, by a telecommunications provider, to state authorities, for the purposes of the investigation of tax evasion, of data related to communications concerning a certain mailbox. The applicant\u2019s correspondence and information constituted part of the information provided to the authorities. Following inspection of the applicant\u2019s information, an investigation was opened into the applicant, which concluded with the applicant being charged for tax evasion. Following a series of domestic proceedings, the applicant complained to the Court, under Article 8, that \u2018her email communications had been obtained without a proper legal basis, in breach of the guarantees of Article 8 of the Convention\u2019 \u2013 the applicant also complained under other Articles, including 6 and 13, the details of which will not be considered here. In relation to this complaint, the Court found a violation. In this regard, the Court concluded that \u2018the interpretation and application of domestic law\u2026lacked clarity and consistency and, therefore, were not foreseeable for the purposes of Article 8 of the Convention. The interference with the applicant\u2019s rights under Article 8 was therefore not \u201cin accordance with the law\u201d. In coming to this conclusion, the Court highlighted, in particular, the fact that domestic law did not seem to permit the collection of data concerning the applicant in question, the fact that the domestic courts did not address the applicant\u2019s complaints concerning the telecoms provider\u2019s confidentiality in this respect, and finally, and perhaps most interestingly, that \u2018the way in which the domestic courts interpreted and applied the relevant legal provisions was incoherent and demonstrated the lack of clarity of the legal framework in question\u2019.<\/p>\n

-AG Spielmann: Pseudonymous Data Between Identifiable and Non-identifiable Data-<\/strong><\/a><\/h3>\n

On 6th<\/sup> February, AG Spielmann advised the CJEU to rule, amongst others, that careful examination is needed in order to determine whether certain (sets of) data are pseudonymised in such a way as to preclude their identification when transferred to another entity, which could lead to the non-applicability of the GDPR in casu,<\/em> in SRB v EDPS<\/em>.<\/a> As to the facts of the case, the EDPS is seeking the annulment of a judgment of the General Court in the case of SRB v EDPS<\/em>. The procedural aspects of the case will not be further examined. The following summary will focus on the points raised in relation to the interpretation of the concerned data protection provisions, the central one of which is the concept of personal data. More precisely, in the dispute between the EDPS and the Single Resolution Board (SRB), the EDPS was of the opinion that the SRB, which clearly processes the personal data of shareholders and creditors (e.g. identity data and their comments and opinions), forwarded to Deloitte their data in pseudonymized and aggregated form, but the risk for re-identification by Deloitte was not eliminated. Hence, the EDPS decided to treat them as personal data, which led to disagreement with the SRB and the subsequent action before the General Court, whose judgment the EDPS seeks to set aside. As to the question of the concept of personal data, AG Spielmann first advised the CJEU to rule that the said data, as processed by the SRB and Deloitte, clearly \u2018relate to\u2019 natural persons and the examination performed by the EDPS had complied with Nowak<\/em> on that point. Second, AG Spielmann examined the question as to whether the data as transferred by the SRB to Deloitte were identifiable. He opined that \u2018it was necessary to determine whether the pseudonymisation of the data at issue was sufficiently robust to conclude that the complainants, who were the authors of the information transmitted to Deloitte, were not reasonably identifiable. In other words, in that context, if Deloitte had reasonable means to identify those complainants, it could be considered to be processing personal data\u2019. Third, AG Spielmann argued that irrespective of whether the data at issue may be considered personal data once transferred to Deloitte, they are still personal data for the SRB. Thus, he argued that the SRB was obliged to inform the concerned individuals about the transfer of their data to Deloitte. Finally, AG Spielmann opined on the question of accountability that the SRB had discharged its obligation to prove that it had sufficiently anonymized the data when transferring them to Deloitte and it was for the EDPB to prove that the data were not sufficiently anonymized in that case.\u00a0 \u00a0<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

-CJEU: Broad Interpretation of \u2018Undertaking\u2019 When Calculating Fines- On 13th February, the CJEU ruled that […]<\/p>\n","protected":false},"author":144,"featured_media":78759,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-78762","dpi","type-dpi","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/78762","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=78762"}],"version-history":[{"count":2,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/78762\/revisions"}],"predecessor-version":[{"id":78817,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/78762\/revisions\/78817"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media\/78759"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=78762"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=78762"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=78762"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}