France: CNIL suggests improvements for proposed law on global security and drone use

The French data protection authority (‘CNIL’) announced that it had given its opinion on the draft law on global security.
In particular, CNIL pointed out that, in its current state, the law does not provide for a system that would safeguard privacy and personal data adequately. More precisely, CNIL emphasized that the proposed legislation includes different provisions relating to the protection of personal data, in particular the amendment of the relevant legal basis to be used in the regulation of video and drone technology.

EDPB: Recommendations 01/2021 on the adequacy referential under the Law Enforcement Directive

Where the working document WP254.rev01 on adequacy referential aims to provide guidance to the European Commission on the level of data protection in third countries and international organisations under the GDPR, the present document aims to provide similar guidance under the LED. It establishes in this context the core data protection principles that have to be present in a third country or an international organisation legal framework to ensure essential equivalence with the EU framework within the scope of the LED (i.e. for processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties). In addition, it may guide third countries and international organisations interested in obtaining adequacy.

Denmark: Datatilsynet issues guide on setting fines for breaches of data protection legislation

With respect to how fines are assessed, the guide aims to encourage greater accountability. In addition, the Guide defines the standard monetary sums for six separate types of infringements, stating that they can be modified, taking into account the type, gravity and length of the violation, according to the particular circumstances of the event.

Belgium: DPA publishes recommendations for data cleansing and record destruction

The Belgian Data Protection Authority (‘the Belgian DPA’) released recommendations for data controllers on data cleansing and the destruction of records.

The guidelines are intended, in particular, to help data controllers avoid unauthorized access to personal data stored in such records and to ensure the privacy of personal data belonging to Belgian citizens.

France: CNIL publishes report on its role and privacy challenges during pandemic

On 21 January 2021, the French Data Protection Authority released its report on its activities during the coronavirus pandemic, in particular on the position of the regulator and on the challenges of personal data protection in times of crisis, in order to better educate professionals and individuals.

Press release:


Nederland: Dutch DPA issues Formal Warning to a Supermarket for its use of Facial Recognition Technology

The Dutch Data Protection Authority (DPA) has issued a formal warning to a supermarket for its use of facial recognition technology. Although the facial recognition technology has been disabled since December 2019, the supermarket wished to turn it back on.

Facial recognition technology uses biometric data to identify people. The use of facial recognition for security is prohibited in all but two situations.

The first is if the people have given explicit consent for their data to be processed. Here, although the owner of the supermarket claims customers had been warned that the store used facial recognition technology, the customers did not give explicit consent for this.

The other exception is if facial recognition technology is necessary for authentication or security purposes, but only in so far as substantial public interest is concerned. The supermarket claims that this is the case. The DPA considers that it is not.

Italy: Garante orders TikTok to stop processing user data when age is not ascertained

Further to the case of child drowning following a TikTok appeal, the Garante agreed to interfere and prohibit the processing of user data by TikTok if the age of the user has not been determined, taking into account the special security that should be given to children with regard to the protection of their personal data under the GDPR.