Answer given by Mr Reynders on behalf of the European Commission

19.11.2021

Under the General Data Protection Regulation (GDPR)[1], the independent national data protection supervisory authorities are in charge of the enforcement of data protection rules, under the control of courts, without prejudice to the Commission’s competences as guardian of the Treaties . The Commission has no enforcement powers vis-à-vis individual controllers and is thus not entitled to comment on specific incidents.

The French data protection authority CNIL has, as the competent supervisory authority, all necessary tools to follow up with the controller concerned. The controller has also brought the suspected attack to the attention of law-enforcement authorities[2].

It is the responsibility of the authorities issuing EU Digital COVID Certificates as controllers to implement appropriate security measures[3]. Neither Regulation (EU) 2021/953, nor the GDPR, prevent them from using external processors in fulfilling their tasks. Should they choose to rely on an external processor, GDPR provides for requirements for the contract with the processor, to ensure that the controller stays in control of the processing.

The Commission does not intend to propose changes to the legal framework as a follow-up to this incident. The rules on data breach notifications introduced by the GDPR ensured that the controller brought this incident to the attention of the CNIL and informed the persons affected. It is precisely because the EU has adopted data protection rules such as GDPR that the data protection supervisory authorities can take action against alleged breaches of privacy and data protection.

• [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119 4.5.2016, p. 1, https://eur-lex.europa.eu/eli/reg/2016/679
• [2] https://www.aphp.fr/contenu/lap-hp-porte-plainte-suite-une-attaque-informatique-sur-son-service-securise-de-partage-de
• [3] See recitals 53 and 54 of Regulation (EU) 2021/953 of the European Parliament and of the Council of 14 June 2021 on a framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID-19 pandemic. These recitals recall Member States’ obligations under the GDPR to ensure appropriate security for the processing of personal data.
  The regulation is available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021R0953