LITIGATION SUPPORT TIP OF THE NIGHT

Article 30 of the General Data Protection Regulation requires controllers of personal data to maintain a 'record of processing activities' which includes seven key pieces of information:

1. Controller name and contact information.

2. Purpose for the processing.

3. The categories of personal data and data subjects.

4. The categories of recipients to whom data will be disclosed.

5. Transfers of data to third countries or international organizations.

6. The time range for which the data will be held and then erased.

7. The security measures taken to protect the data.

You can find a good example of a spreadsheet used to track ROPA data on the site of the UK's National Health Service.

Compare this with an example on the site of the Commission nationale de l'informatique et des libertés (CNIL), the French agency charged with enforcing data privacy laws.

Supporting documentation is often required for ROPAs, such as vendor DPAs, (Data Processing Agreements) which address the terms under which a service provider processes personal data for a company, and DSAR responses (Data Subject Access Requests), which are actions taken to remove, alter, or access personal data on the request of the person whose data is involved.

Organizations often prepare data maps to track the personal data they are holding. Some service providers such as BigID have developed systems which help companies assess private data on their network.

The Hamburg Commissioner for Data Protection issued a press release yesterday which noted that it has warned the city government about its use of the on-demand version of Zoom. The Commissioner believes that Zoom does not comply with the provisions of the General Data Protection Regulation. Data is transferred by Zoom to the United States, which has been judged to have inadequate privacy safeguards. (See the post on the Schrems II decision in the Tip of the Night for July 22, 2020.) The Commissioner determined that Zoom was not following the rules set by the European Data Protection Committee for the transfer of data to the United States.

The Commissioner issued a formal warning to the Hamburg Senate under Article 58(2) of the GDPR that processing operations in Zoom were likely to infringe the GDPR.

The on-demand version of Zoom is in effect a one-way webinar in which the participants cannot interact with the hosts as they would in a normal Zoom session. On-demand webinars are stored in the cloud, and are available to webinar registrants later on.

The Commissioner specifically recommended the use of a different video conferencing program.

Earlier this month, the Commissioner for Data Protection and Freedom of Information in Hamburg ordered Facebook's subsidiary in Ireland to stop processing personal data collected from WhatsApp. See, Press Release, The Hamburg Commissioner for Data Protection and Freedom and Information, Order of the HmbBfDI: Ban of further processing of WhatsApp user data by Facebook (May 11, 2021), available at: https://datenschutz-hamburg.de/assets/pdf/2021-05-11-press-release-facebook.pdf. WhatsApp users will have to agree to new terms which allow their data to be shared with Facebook by May 15, or they will have to make do with a version of the app with limited functionality. The data will be used for advertising to WhatsApp users. The Commissioner found that the data processing does not comply with GDPR.

The Commissioner criticized WhatsApp for isolating terms regarding data transfers in separate areas of the new terms, and using contradictory language. Facebook's processing of WhatsApp data could not be regarded as being necessary for the performance of a contract. "Facebook cannot claim a prevailing legitimate interest in processing the data of WhatsApp users because their interests are overridden by the rights and freedoms of the data subjects. Consent is neither given freely nor in an informed manner. This applies particularly to minors. For these reasons, consent under data protection law cannot be considered as a legal ground." Ibid. The Commissioner faulted WhatsApp for not promptly responding to its inquiry into how data is shared.

The order will be in effect for three months while the Commissioner requests that the European Data Protection Board issue a final decision. Article 66 of the GDPR allows a supervisory authority to immediately adopt provisional measures when there is an urgent need to act. These measures can only last for three months.