Bird & Bird

Privacy & Data Protection Update

Issue 17 - April 2009

In this edition of the newsletter, we look at new guidance on telephone marketing in Spain and the impact of MIFID on data protection in Belgium. We look at recent UK rules on moderating children's websites, and consider how companies can best deal with subject access requests. We consider increased fines in Italy for violation of Italian Data Protection law, and look at new security measures that must be put in place for system administrators. We consider the data protection implications of use of fingerprinting in Poland and journalistic activities in Finland. We look at employee monitoring in the Czech Republic, and viral marketing in The Netherlands.

Belgium

Chairman of Privacy Commission announces tougher enforcement of data protection laws

Peter Van de Velde, Brussels
The Chairman of the Belgian Privacy Commission has announced in a press statement that his services will increase the enforcement of data protection laws in the private sector. This relates in particular to the use of the Privacy Commission's inspection powers under the Data Protection Act of 8 December 1992.

Banks to share confidential customer data with tax authorities

Peter Van de Velde, Brussels
According to the Markets in Financial Instruments Directive (MiFID), which entered into force on 1 November 2007, banks and investment firms are required to collect a detailed profile of their customers. Most financial institutions collect this information from their customers via detailed questionnaires. In these questionnaires customers provide information on their financial assets, savings, real estate and other property (which may include information on assets held with other banks). This information should allow banks and investment firms to tailor their investment product offers to customers' needs. The objective is to better protect consumers against investment risks.

Top

Quick links

Belgium

Czech Republic

Finland

France

Germany

Italy

The Netherlands

Poland

Spain

Sweden

Previous issues

Issue 16 - November 2009

Issue 15 - March 2008

Issue 14 - November 2007

Issue 13 - July 2007

Issue 12 - February 2007

Czech Republic

Processing of data obtained from monitoring systems
Zuzana Fantova, Prague
Over the past few years the Data Protection Office in the Czech Republic has dealt with the question of monitoring systems on many occasions. It has decided that the operation of monitoring systems constitutes "Personal Data Processing" as defined in Act No. 101/2000 Coll. (the "Data Protection Act") and that operators must therefore comply with the Data Protection Act.

Top

Finland

The European Court of Justice issues a decision seeking to balance data protection rights against journalistic activities
Kaisa Keski-Vhl, Helsinki
In Finland, the details of taxes paid by individuals are made publicly available. The Finnish company, Satakunnan Markkinaprssi Oy ("Markkinaprssi"), collects public data from the Finnish tax authorities for the purpose of publishing extracts from this data in the regional newspaper each year. The information contained in these publications comprise the name (first name and surname) of approximately 1.2 million individuals whose income exceed certain thresholds, as well as the amount to the nearest €100, of their earned and unearned income. The publications also contain details relating to the wealth tax levied on these persons. Such information is set out in the form of an alphabetical list, and is organised according to municipality and income bracket. The newspaper's main purpose is to publish personal tax information.

Top

France

Breaches of data subjects' rights on the internet
Claire Romac, Paris
The CNIL issued a warning against the website "entreparticuliers.com" which specialises in putting real estate buyers and sellers in contact with each other. The website had breached the rules on unfair collection of personal data, provision of information to users and security measures and the CNIL's warning was highly publicised.

Top

Germany

"Telekomgate" and other data scandals in Germany
Jrg-Alexander Paul and Corinna Preu, Frankfurt
Data Protection has recently featured highly in German press releases. Headlines such as "Thieves nicked 17 million T-Mobile customer records" and "Gigantic data leak" are not just used by the tabloid press; in fact they reflect a national and international phenomenon: the deliberate or unintentional mishandling of personal data. The attention given to data protection breaches by the media has sparked a public interest in data protection issues. Lobbyists as well as politicians are demanding the tightening of data protection laws. Although there are strong arguments that existing data protection laws are sufficient, the German legislator has already taken specific steps to amend the law. The most important legislative projects are summarised in this article.

Top

Italy

Tightening of sanctions for violation of the Italian data protection law
Debora Stella, Milan

The administrative penalties scheme under the Italian Data Protection Code (Legislative Decree 30 June 2003 n. 196) has recently been substantially amended. Article 44 of the Decree, dated 18 December 2008, no. 207 (published in the Italian Official Gazette no. 304 dated 31 December 2008) tightens the administrative penalties under the Italian DP Code.

Additional legal requirements relating to security measures for system administrators
Debora Stella, Milan

On 27 November 2008, the Italian Data Protection Authority, the Garante, issued a general prescription which requires organisations to implement additional security measures. These measures should be applied in relation to personal data that are processed by, or accessible to, system administrators.

Top

The Netherlands

Dutch authorities publish rules on viral marketing and tell-a-friend schemes
Gerrit-Jan Zwenne, The Hague
The Telecoms Authority (OPTA) and the Dutch Data Protection Authority have recently published a joint opinion stating that viral marketing and 'tell a friend' schemes on websites are permitted, provided that certain conditions are met.

Top

Poland

Supervision of working time: companies can use fingerprints to evidence employees' working time
Piotr Dynowski, Warsaw

On 27 November 2008, the Regional Administrative Court in Warsaw (WSA) issued a judgment upholding the right of LG Electronics process to employees' fingerprints for the purposes of evidencing their working time. In doing so, the WSA overruled two previous decisions of the Polish Chief Inspector for Personal Data Protection (GIODO). The case concerned the implementation by LG Electronics of a system for scanning employees' fingerprints for the purposes of evidencing their working time. The GIODO has issued numerous decisions prohibiting employers from doing this, however, LG Electronics is the first employer to appeal the GIODO's decision to the WSA.

Top

Spain

Spanish authorities warn about the risks to privacy and security on social networks and suggest improvements in protection systems
Blas Piar, Madrid
The National Communications Technology Institute (INTECO), in collaboration with the Spanish Data Protection Agency, has presented a report on the security and data privacy issues that arise from social networking sites, making a number of recommendations. The report warns that there are three different and critical stages where the users' security and privacy may be specially hindered: registration; when additional information is uploaded to the site by the user; and if the user wants to unsubscribe from the service.

Spanish Data Protection Agency publishes new telephone marketing guidelines
Carolina Tardin and Blas Piar, Madrid
On 19 November the Spanish Data Protection Agency (SDPA) released the results of its "ex officio Sector Plan on telephone advertising", in which it analyses the practices of major mobile and fixed telephone operators and other entities providing SMS Premium messages or subscriber services in Spain. It provides some practical recommendations and guidelines for users and companies operating in this industry.

Top

Sweden

Unions prohibited from processing salary information
Marie Englund and Ida Smed Srensen, Stockholm
A county administrative court has decided that a trade union, Byggnads (the Swedish Building Worker's Union), may no longer review or process the salary information of workers who are not members of its organisation. On 17 December 2007, the Data Inspection Board decided that Byggnads should cease all processing of personal data relating to workers who are not members of the organisation.

Top

A guide to handling access requests
Hazel Grant, Stephen Musgrave, Rhian Hill and Michelle Watson, London
For many organisations one of their key problems with data protection legislation is handling requests from individuals for access to the information held on them. This problem is exacerbated when, as now, we enter a financial crisis and organisations start to make redundancies, freeze pay levels or delay promotions. We have seen a marked increase in the use of access requests by employees who are in dispute with their employers.

In this short article we briefly describe some of the key actions which an organisation should take when receiving a request for access, in order to comply with the DPA and minimise the considerable impact on the business.

New regulation rules for moderators of children's websites
Ruth Boardman and Marvin Farrell, London
From 12 October 2009, employers will need to register employees engaged in regulated activities, in accordance with the Safeguarding Vulnerable Groups Act. Regulated activities include the moderation of interactive websites used wholly or mainly by children.

Top

This update gives general information only as at the date of first publication and is not intended to give a comprehensive analysis. It should not be used as a substitute for legal or other professional advice, which should be obtained in specific circumstances.