New Year? New Newsletter edition! In issue #99, find out more about our top consultations and complaints dealt with in 2022, our activities to mark data protection day. As well as our latest Opinions, including one that may have an impact on your holidays, and one concerning your instant payments! This issue is also part of our podcast series, the Newsletter Digest.
In this issue
Data protection and privacy, the pillars of society
On 28th January, it was data protection day! A day during which we celebrate together historical and global efforts made, and to be made, to put privacy and data protection at the centre of our lives.
In a video message marking the occasion, the Supervisor, Wojciech Wiewiórowski, highlights that decisions on the use of individuals’ personal data interfere with the very right of being alive in this world as humans; stressing that the role of governments is to empower individuals, especially the most vulnerable, to gain, or have control, over their personal data.
“Europe is leading the way in regulating and shaping our future (...)”, he continues, but there is more to do yet to create conditions for individuals to be able to engage in free, meaningful choices in the digital environment.
Concluding his address, the Supervisor underscores his commitment to continue making data protection and privacy part of the basic pillars of our society.
Know your data protection rights
Picture this: you have recently signed up to the newsletter of your favourite newspaper with your email address, registered to attend an event organised by an EU institution, body, office or agency (EUI) by filling in a form with your name, address, and other similar personal details.
You have just given your personal data, but are you aware that you have data protection rights?
With our factsheet, “Your data, Your Rights”, we provide you with a quick recap of the data protection rights you have when someone, like an EUI, processes your personal data, such as the right to be informed about how personal data is being processed, or the right to rectify your data.
To get a complete picture of your data protection rights, check out our factsheet now!
What are you waiting for? Subscribe to our TechDispatch now!
The EDPS’ TechDispatch reports, an initiative launched in 2019, aim to explain, inform and raise awareness of potential data protection issues surrounding new and emerging technologies. With each report, you can find out, or find out more, about a new technology, how it is used, developed, and its impact on individuals’ rights to privacy and data protection, followed by some further recommended reading.
Our most recent TechDispatch that we issued is on Federated Social Media Platforms (Fediverse).
The Fediverse is a set of federated social media platforms, independent from each other, that are interoperable, therefore enabling their users to interact with each other.
So how do these federated social media platforms compare to traditional social media platforms used by many? What are some advantages, and potential pitfalls of using them? Do they offer sufficient protection to protect the personal data of those using these platforms?
You can find out more by reading our TechDispatch on Federated Social Media Platforms available here on the EDPS Website.
Want to be the first one to receive our latest TechDispatch reports? Subscribe here.
A 2022 review of personal data breaches
Last year, the EDPS received 96 new personal data breach notifications, submitted under Regulation (EU) 2018/1725, the data protection regulation for EU institutions, bodies, offices, and agencies (EUIs).
A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to transmitted, stored or processed personal data of individuals. The impact of a personal data breach can be far-reaching, such as identity theft or damage of an individual’s reputation.
In 2022, it was found that the most common root cause of personal data breaches was human error, predominantly in the context of EUIs’ recruitment procedures. It was also found that personal data breaches caused by elaborate external attacks are on the rise. External attacks can, in some cases, exploit the vulnerabilities associated to insufficient security measures and procedures by the EUIs, as required by Article 33 of Regulation 2018/1725.
As such, continuing its proactive approach of 2021, the EDPS organised three training sessions aiming to raise employees of EUIs’ awareness on how to prevent or manage personal data breaches. These training sessions cover the most frequent scenarios in which a personal data breach may occur, such as addressing a letter or an email to the wrong recipient, or more complex yet, errors when handling transparency and access to document procedures. Training sessions provide EUIs’ employees and data protection officers, ideas on how to minimise or avert risks in some of these situations.
Find out more about personal data breaches in our factsheet available on the EDPS Website.
Top three consultations & complaints of 2022
As the year 2023 has just started, we share with you today the top consultations and complaints dealt with by the EDPS over the year 2022, as well as our follow-up actions in our colourful infographic; have a look at it here!
As part of our work, the EDPS is consulted by EU institutions, bodies, offices and agencies (EUIs), their data protection officers, on their day-to-day activities with an impact on data protection and the processing of individuals’ data. We also process complaints made by individuals about how their personal data has been processed by an EUI.
We therefore think it is important to keep track of the recurrent topics and issues encountered in these areas. In addition to dealing with complaints and applying enforcement actions when needed, this exercise helps us inform our work and accurately calibrate our guidance shared publically, through Supervisory Opinions, Guidelines, and Factsheets. This exercise also helps us map out our activities to best support data protection officers, and employees of EUIs, including our colleagues at the EDPS, through the organisation of training sessions, events, and more, to raise awareness and share good practices to comply with EU data protection law.
Reflecting on what we have done over the past year, three issues in particular came up; these are the following:
- the concepts of controller, joint-controller and processor, which relate to entities and individuals who decide the purpose, and how, personal data is processed, as well as those who are in charge of the processing of this data and the responsibilities and dynamics when this is done with more than one person or entity;
- data subjects’ right of access, which relates to individuals asking the entity or individual concerned access to their data, how it is processed and for what purposes;
- the topic of international transfers of personal data, which relates to transfers of individuals’ personal data transferred outside the EU or the European Economic Area; this data must be sufficiently and adequately protected before this process occurs.
Secure instant payments for individuals in the EU
In its Opinion published on 19 December 2022, the EDPS welcomes the proposed Regulation aiming to increase the use of instant credit transfers, in an efficient and accurate way. In particular, the EDPS welcomes the proposed measures aiming to resolve issues linked to instant credit transfers, under the current Regulations. Namely, tackling the high rate of rejected instant payments due to the misidentification of individuals.
Wojciech Wiewiórowski, EDPS, said: “Individuals make payments multiple times a day; they need to be able to trust confidently that their payment data, and other related personal data, are protected securely when carrying out transactions, such as credit transfers. In light of this, I welcome the proposed Regulation as a legislative instrument that aims to protect individuals in the EU, their personal data and financial interests.”
The Opinion that the EDPS has issued focuses on two measures of particular relevance to data protection. Read the Opinion to find out more.
Where are you holidaying this year?
Planning a holiday in 2023 and looking for a place to stay for a few days? Have you used a short-term accommodation rental service for your latest trip? Looking to make some extra cash by renting out your home for a short period of time?
Well, the EDPS has recently issued an Opinion on a European Commission’s proposed Regulation on data collection and data sharing related to short-term accommodation and rental services, which may concern you!
One of the aims of the proposed Regulation is to harmonise registration schemes and other transparency requirements for short-term accommodation and rental services, regarding, for example, registering a property to be rented out, information on its owner (the host). One of the reasons for establishing these registration schemes and transparency requirements is to use some of the information gathered to address issues, such as affordable housing and protecting the urban environment.
According to this Regulation, the host would have to submit to competent authorities a certain number of information, such as details on their identity, their property, their financial situation, the number of guests, other relevant activities. The host would then obtain a unique registration number, and competent authorities would validate and verify this information. Competent authorities would also be able to request additional information, or even suspend the validity of the registration number, if justified.
In its Opinion, the EDPS recommends that the data transmitted to the competent authorities excludes the use of personal data for law enforcement purposes, or for taxation.
The EDPS also believes that reporting personal data related to guests, such as the duration of their stay, should not be required. This information is not necessary for the purpose of this proposed Regulation, writes the EDPS.
When it comes to collecting hosts’ personal data, the EDPS recommends that the proposed Regulation specifies the categories of personal data to be submitted, and the length of time for which they will be stored. Hosts should also be able to challenge or correct information submitted for validation and verification to competent authorities.
It’s plane and simple: we help protect your personal data
On 14th December 2022, the EDPS issued a decision authorising an Administrative Arrangement, until 30 June 2024, between the Single European Sky ATM Research 3 Joint Undertaking (SESAR) and the European Organisation for the Safety of Air Navigation (Eurocontrol). SESAR is a European public-private partnership that aims to help Europe’s aviation infrastructure and related technologies to be better prepared for future demands in this area. Eurocontrol is a member of SESAR, and, to this end, provides, amongst others, financial contributions for these objectives.
An Administrative Arrangement maps out the procedures, safeguarding measures, and other relevant measures to ensure that transfers of personal data outside the EU or the European Economic Area (EEA) are carried out whilst ensuring that individuals’ personal data is protected in the same way as inside the EU and the EEA.The EDPS has to authorise any administrative arrangement between an EU institution, body, office or agency, with an international organisation located outside the EU or the EEA, before any transfer can proceed.
When assessing the Administrative Arrangement, the EDPS noted that one of the major issues that came up was related to oversight and judicial redress mechanisms. In other words, measures concerning the supervising and checking that these types of international transfers would protect sufficiently individuals’ personal data, and the contingency measures envisaged if these transfers go wrong. As a way to resolve some of these issues, Eurocontrol aims to modernise its data protection framework by the end of 2023. In the meantime, Eurocontrol and SESAR will rely on the International Court of Arbitration of the International Chamber of Commerce to fulfil the role of oversight and judicial redress temporarily for this Administrative Arrangement, which the EDPS deems as satisfactory for the time being.
Taking into account the latter, the EDPS however specifically highlights that for the present Administrative Arrangement to be renewed after 30 June 2024, SESAR should file this request in due time, including specific information on how, and in what ways, Eurocontrol’s data protection framework has been modernised to safely support transfers of individuals’ personal data outside the EU or EEA.