Data Protection Newsletter

√     Cookies – French Data Protection Authority focus area
√     New rules for Artificial Intelligence
√     Several fines applied by the Romanian Data Protection Authority

1.   French DPA focuses its efforts on cookie compliance

The French DPA begun conducting checks to ensure websites are following the new guidelines on advertising trackers. The guidelines come to clarify the GDPR already established rule – consent for the cookies must be granted by a clear and positive act. The French DPA reaffirms that (i) simply continuing to browse a site cannot be considered a valid expression of the web user’s consent, and (ii) it must be as easy to withdraw consent as to give it.

2.   A new Artificial Intelligence Regulation

The European Commission proposed a new set of rules on artificial intelligence aiming to guarantee the safety and fundamental rights of people and businesses. The regulation proposes a risk-based approach with four levels: unacceptable risk, high risk, limited risk and minimal risk. Failure to comply with the obligations set for each risk category may attract fines up to EUR 30,000,000 or 6% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

3.   EUR 5,000 applied to a company for excessive CCTV surveillance

RDPA concluded that the company processed the image of its employees excessively through CCTV systems placed in the locker rooms and dining area. Thus, the RDPA considered that the personal data processing activities were not adequately adapted for the security purposes outlined by the company. Moreover, the RDPA restates the improper use of consent as the applicable legal basis for processing employee’s personal data.

4.   EUR 1,500 applied to a data processor

The investigation carried out by the RDPA ended with a fine applied to a data processor following a complaint filed by a data subject and a data breach notified to the authority by the data controller. The fined company destroyed documents containing personal data belonging to 1058 data subjects without receiving instructions from the data controller. Thus, the RDPA concluded that the company failed to comply with the obligations set out in Articles 29 and 32 of the GDPR.


*This ePublication is provided by Radu Taracila Padurari Retevoescu SCA and is for information purposes only. It does not constitute legal advice or an offer for legal services. The distribution of this document does not create an attorney−client relationship. If you require advice on any of the matters raised in this document, please call your usual contact at Radu Taracila Padurari Retevoescu SCA at +40 31 405 7777.