- Illegal video and audio surveillance
Similarly to previous years, the data protection authority (DPA) received many questions and complaints regarding the use of video surveillance (including audio surveillance). The main shortcomings identified by the DPA were failures to conduct legitimate interest assessments and properly notify data subjects. The biggest non-compliance levy that the DPA warned data controllers with was 105 000 euros in total (15 000 per each requirement that the DPA ordered the controller to fulfil).
- Shortcomings in privacy policies
- Absence of cookie consent forms
Previously the DPA was not very zealous in enforcing cookie regulations, which have not been properly implemented in Estonian local law. In 2022, however, several compliance notices were given for violations of cookie consent rules. The DPA explained in several cases that the requirement to obtain consent for placing non-essential cookies could be interpreted as being directly applicable from the e-Privacy Directive, while where personal data is involved, the consent requirement arises also from the GDPR. An average non-compliance levy that the DPA warned data controllers with was 5000 euros (maximum non-compliance levy for such violation was 20 000 euros).
Predictions for 2023
- The DPA’s practices most likely will not change but will become more detail-oriented
Pending more convenient measures (like administrative fines or changes to misdemeanour proceedings), we expect the DPA will continue its current practice of trying to achieve compliance via precepts and warnings (including non-compliance levies). Recall that Estonia’s legal system does not currently allow for the administrative fines envisaged in the GDPR, while sanctioning legal persons through misdemeanour proceedings is said to be inefficient and burdensome for all the parties. The DPA seems to be going into more detail on some topics and a single complaint by a data subject can lead to detailed inspection of multiple documents, from privacy policies to legitimate interest assessments.
- Hot topics
We expect that the DPA will continue enforcement with regard to surveillance cameras and employee monitoring in general, also making sure that privacy policies are detailed and specific. Furthermore, preventive joint supervision by the DPAs of the three Baltic countries in the field of short-term rental of vehicles (e.g., electric scooters) can be expected to yield results and recommendations.
- Big fines have arrived
A fine of 1.2 million euros imposed on telecommunications provider Tet for unlawful processing of the personal data of an underage data subject was not the only surprise the DPA served up last year. In infringement proceedings against retailer DEPO DIY, the DPA first imposed a stunning 4.3 million euro fine for invalid consent, only to amend it later to a mere 17 495 euros upon appeal to the DPA director.
- The DPA knows what cookies you serve
- Sectoral supervision
The DPA approached several companies and performed in-depth audits in a context of preventive sectoral supervision. The results and, hopefully, useful data processing guidelines, are expected in 2023. Meanwhile, companies in data-intensive sectors should be prepared for detailed inspections, including on short notice.
Predictions for 2023
- The DPA is expected to be less lenient
The staff hired by the DPA in 2020-2021 has now gained experience and is not afraid to challenge seasoned data protection lawyers. We expect to see a few big fines in 2023, though the DPA will likely continue its practice of mostly imposing warnings and fines of less than 15 000 euros, which generally are not appealed. But the DPA is likely to be less lenient towards outdated or insufficient compliance documents, such as risk assessments.
- Data subjects ready and able to defend their rights
An end-of-year survey conducted for the DPA showed that more Lithuanians know their rights as data subjects and have acquainted themselves with the GDPR, as well as that more people are willing to do research and look up information they do not know or understand when they encounter improper data processing.
That could be why more than 85 percent of significant rulings passed by the DPA this year resulted from investigations started based on the complaint of a data subject. This trend shows that data subjects are more in touch with their rights and will go to the trouble of defending them, so proper compliance and management of data subject rights is becoming more important than ever.
- Health services
Health service providers were an object of special scrutiny by the DPA last year for a lack of due attention to the higher requirements for special categories of data. Rulings by the DPA show that (i) adherence to data processing principles enshrined in the GDPR (such as data minimisation and confidentiality) is a must, and (ii) that even if adequate procedures are in place, human error can still cause a breach. The latter shows that training is necessary in not only implementing, but also maintaining data security in your organisation.
Predictions for 2023
- Cookies and data protection officers
The DPA’s efforts last year mainly focused on how well data controllers in the public and private sectors comply with requirements related to cookies and on the implementation of requirements for the work of DPOs.
The DPA organised a training session for managers and DPO’s in late 2022. Based on the findings of investigations, we may see guidelines or “dos and don’ts” from the DPA. This, in turn, could be a useful tool for brushing up an organisation’s procedures for data management and oversight.
- Sectors of interest
The results of and recommendations deriving from the preventive joint supervision of the DPAs of the three Baltic countries in the field of short-term rental of vehicles (e.g., electric scooters) can be expected.
However, the final activity reports are still under preparation and other sectors may also be subjected to coordinated audits.
TGS BALTIC RECOMMENDATIONS FOR 2023
- Train your people! Given the increasing number of data breaches and other security incidents that may trigger notification obligations as well as the access and other requests from informed data subjects, it is essential that all employees understand your obligations and be able to properly handle any breaches, incidents, and requests. Mere procedures on paper are a start, but will not get you far.
- Update your documents and procedures! While many companies made an effort to have all (or most) data-protection-related documents in place in 2018 when the GDPR became applicable, they have not kept those documents up to date, drafted other missing ones, or put the relevant procedures in place. Compliance is an ongoing process. Both changes in your own practices and new regulatory guidelines and practices require you to keep up to date.
- Make sure your SCCs have been renewed! If you rely on Standard Contractual Clauses (SCCs) in your international data transfers, remember that new SCCs were introduced in 2021 and all old SCCs needed to be replaced by 27 December 2022.
THE TGS BALTIC DATA PROTECTION TEAM
Our lawyers have extensive experience advising clients from many sectors (e.g., technology, healthcare and HealthTech, financial and FinTech, automotive, insurance, retail, e-commerce, employment, real estate, industrial, the public sector, etc.) on legal matters pertaining to personal data protection and privacy, with comprehensive know-how on effectively addressing, documenting and managing the EU General Data Protection Regulation (GDPR), e-privacy (electronic direct marketing, cookies), and national data protection frameworks.
Our team conducts personal data protection compliance audits designed to identify non-compliance, then provides custom action plans with practical guidance on how to eliminate any inconsistencies identified.
The team also offers far-reaching legal assistance in the implementation of action plans to achieve legal compliance. That includes drafting the requisite documentation (e.g., privacy and cookie notices, consent forms, records of processing activities, internal procedures, data processing agreements, data protection impact assessments, etc.), assessing clients’ business processes and procedures, and day-to-day consulting on varied issues pertaining to data protection and privacy (e.g., managing data breaches, determining the legality of and legal bases for processing personal data as well as the relevant roles, defining data retention periods, regulating cross-border transfers of personal data, appointing data protection officers, etc).
Additionally, the team conducts data protection trainings, the content and scope of which depend on the target group and needs of the client, supports the work of data protection officers and in-house lawyers, and represents clients before the data protection authority and in courts.