Europe data privacy decisions round-up August 2021

A round-up of some of the most recent data privacy decisions led by data protection authorities in Europe.

United Kingdom

The High Court of England and Wales held that controllers and processors outside of the EU that nominate a representative under Article 27 GDPR cannot outsource liability for breaches of the GDPR. The representative can only be held responsible for their representative duties. 

Of particular note in the judgement was the comment of Mrs Justice Collins Rice, 110:

“I find no positive encouragement for ‘representative liability’ anywhere other than the last sentence of Rec.80…if the GDPR had intended to achieve ‘representative liability’ then it would necessarily have said so more clearly in its operative provisions”

You can read the full judgment here:

So at this stage, while the representative system was intended to be more than just a “postbox”, for now it remains well… like a postbox.

European Union

After the Hamburg DPA’s decision against WhatsApp which banned Facebook from processing personal data from German WhatsApp users. The EDPB has began to investigate the provisional measure and has initiated a dispute resolution process in order to help achieve EU-wide consensus on the matter. At the time of writing, they had not confirmed whether the Hamburg DPA’s measure should now apply EU wide. But they have now requested that the Irish DPA will investigate WhatsApp’s data processing and to determine if data is actually shared with Facebook via the app. We expect further updates when a decision is made by the Irish DPA on whether the privacy policy in question is appropriate or not and expect there may be legal updates required by many companies following this decision. Particularly for companies using WhatsApp for business.


Monsanto was ordered to pay the French DPA (CNIL) for creating files containing the personal data of more than 200 French and European political figures for the purpose of lobbying, without informing the data subjects, and without executing a data processing agreement with the relevant processor.


The Italian DPA fined Deliveroo Italy €2,500,000 because its app for riders did not provide clear information about the algorithms used to manage work shifts. Furthermore, its app collected a disproportionate amount of data on riders, which was found to be in violation of the GDPR principles of lawfulness, transparency, data minimisation and storage limitation.


The Spanish DPA penalized Mercadona, a supermarket chain, €2,520,000 (reduced to €1,810,000) in relation to its use of an anti-theft video surveillance system. The system relied on biometric data to identify individuals who had previously committed crimes at its store and who were banned from entering. The decision found that the data privacy impact assessment made by Mercadona when installing the system was incorrect, and failed to assess the implications fully for Mercadon staff when using a facial recognition system in the store. They also found that the use of this system was not in line with the transparency principles of GDPR. You can read the full judgement in Spanish on the AEPD’s website.


The Norwegian DPA (Datatilsynet) fined Moss Municipal Council about £40,400 (NOK 500,000) for breaching Article 32(1)(b) and (d) of EU GDPR by combining IT systems that managed health records. This process resulted in incorrect information about data subjects being recorded, and could have affected upto 2000 people.


Google was fined $41,000 for violating Russia’s data localisation law – a law that compels some online service providers to store certain types of Russian user’s personal information on local servers. The law allows for service providers to be banned from serving the Russian market, however so far authorities have stopped short of these measures. Facebook and Twitter have also received similar penalties in Russia in relation to this law.

Not sure about your own level of compliance? – Check out our training courses.