In Q1 2022, the UK’s Information Commissioner’s Office (ICO) issued 26 enforcement actions. There were 15 monetary penalties issued, ranging between £2k – £200k, and 11 enforcement notices. The majority of the fines and enforcement notices related to unsolicited marketing activities, two related to data subject rights infringements, and one related to a failure to ensure adequate security around personal data. The last related to a ransomware attack and despite the controller being subjected to a malicious cybercrime, it was penalised for a failure to address known vulnerabilities and to prevent the ransomware attack in time.Continue Reading ICO enforcement actions in Q1 2022

The Winter 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. Strengthening fair competition – changes to the law against unfair competition
  2. Cologne Regional Court on the broad concept of the right to access

After a month of rumors, uncertainty, and German data protection authorities being nontransparent, the German conference of data protection authorities (Datenschutzkonferenz, DSK) published the concept for calculating administrative fines for data protection violations (Concept, available here) on October 16, 2019.

The Concept sets out a standardized approach regarding the calculation of administrative fines in accordance with article 83(4) and (5) of the General Data Protection Regulation (GDPR) and also takes into account the circumstances of the individual case as described in article 83(2) GDPR. The Concept provides a uniform determination of administrative fines under GDPR without losing the flexibility to consider the individual case and situation of the violating person or organization (Violating Entity).

The Concept is not binding on courts, non-German authorities, or the European Data Protection Board (EDPB) and shall only be used for violations in Germany that are not cross-border cases. The Concept shall only be used until the EDPB has issued its own guidelines for the determination of fines under article 83 GDPR. In addition, the Concept shall not be used for fining associations or natural person outside of their economic activity.

In this blog, we explain the five-step procedure that the DSK applies in the calculation:Continue Reading Calculation of administrative fines under GDPR – standardized concept published in Germany

The Information Commissioner’s Office (ICO) announced a £100,000 fine imposed on the telecoms company, EE Limited (EE), for breaching the Privacy and Electronic Communications Regulations 2003 (PECR). The timing of the breach meant that the General Data Protection Regulation 2016/679 (GDPR) was not applicable.

What happened?

EE sent customers a text message encouraging them to

By a new decision of sanction rendered on 28 May 2019, the French data protection authority Commission nationale de l’informatique et des libertés (CNIL) imposed a €400,000 fine on French property management company Sergic for failure to comply with its obligation to maintain the security of and to limit the storage of personal data. This €400,000 euros fine is the first sanction imposed on a French company under the General Data Protection Regulation (GDPR) and is also the most significant financial penalty imposed on a French company for data breaches to date. It represents close to 1 per cent of the yearly turnover of the fined company.
Continue Reading First sanction decision rendered by the CNIL regarding data breaches worth almost 1 per cent of the company’s yearly turnover: the era of tolerance seems to be over

The GDPR just had its first birthday. Before the GDPR became effective, organisations were anxious because the Regulation provides for heavy penalties. But was their anxiety justified? And as a first step, how have EU member states themselves implemented the GDPR? This article will provide short answers to these questions.

Local implementation efforts

Although the GDPR intended to unify data protection law within the EU, it permits EU member states to implement stricter local rules in some cases, based on the so-called ‘opening clauses’. These allow local rules to be implemented on important issues, such as the requirements for the designation of a data protection officer, the age of consent of children, data protection in the context of employment, and data breach notification obligations.

EU member states have generally made good use of this option. Germany was the first member state to pass an act to implement the GDPR (and is currently working on an amendment), but the other EU member states quickly followed suit.

Local implementation highlights

Some EU member states have introduced local provisions that are worth noting, particularly for organisations doing business in these jurisdictions. Some examples are:

  • In Germany, organisations that continually employ at least 10 people to deal with the automated processing of personal data must appoint a data protection officer.
  • France has some preliminary notification obligations, especially with regard to the processing of biometric or genetic data, for example.
  • Dutch law retains regulations from the previous Dutch data protection law with regard to the processing of sensitive data, for example in an employment context.
  • Hungary and Spain introduced provisions with regard to the personal data of deceased individuals.
  • Spanish law includes specific provisions for data processing in relation to, for example, video surveillance, whistleblowing and the financial solvency of individuals.
  • The laws of Austria, the Czech Republic and Ireland provide for an easing of the fine system for public bodies.

You can find an overview of all implementation laws and their specialties here: https://www.reedsmith.com/-/media/files/perspectives/2018/gdpr_factsheet_may2018.pdf?la=en.
Continue Reading One year of GDPR – How have EU member states implemented and enforced the new data protection regime?

A few days before the entry into force of the GDPR, the CNIL imposed a 250,000 euros penalty to the company Optical Center for failure to secure personal data on its website – where a breach occurred, allowing access to invoices and purchases orders containing personal and sensitive data of customers. Further to Optical Center’s appeal, the French Highest administrative Court (“Council of State”), confirmed the sanction but reassessed the amount of the penalty to 200,000 euros in a recent decision dated 17 April 2019.

Contrary to the U.S in particular, the sanctions pronounced for data breaches remain in France in the hands of the regulator, the CNIL. Given that the sanctions pronounced took place before the entering into force of the GDPR, the CNIL was limited in its sanction powers, which, compared to applicable standards at that time, can be seen as severe. Another factor played a role: Optical Center had already been imposed a 50,000 euros penalty for a similar data breach on 5 November 2015, which was confirmed on 19 June 2017 by the Council of State.Continue Reading The Highest French administrative Court slightly reduces the amount of a penalty imposed by the CNIL: is this the tip of the iceberg ?

The Information Commissioner’s Office (ICO) announced its intent to fine Bounty (UK) Limited (Bounty) £400,000 for breaching the Data Protection Act 1998 (the Act). Due to the timing of this breach, it was governed by the Act rather than by the General Data Protection Regulation 2016/679 (GDPR). The maximum penalty permitted under the pre-GDPR regime in the United Kingdom was £500,000.

Background

Bounty was a pregnancy and parenting support club. It provided information packs and goody bags to mothers in exchange for personal data. It also provided a mobile app for users to track their pregnancies, as well as offering a new-born portrait service. Its portrait service was the largest in-hospital service of its kind in the United Kingdom.

Bounty had a data protection policy on its website. The data protection policy stated that Bounty: (i) collected personal data for marketing purposes; and (ii) might share personal data with selected third parties. The data protection policy stated that users might receive communications from Bounty or a third party. However, the policy did not specifically identify third parties or the types of third parties that personal data would be shared with.

Bounty also collected personal data using hard copy cards completed in maternity wards. These cards stated that recipients consented to Bounty processing their personal data if the cards were filled in. The cards also briefly outlined the possibility that personal data could be shared by Bounty. However, again, no detail about third party recipients was included. Recipients were obligated to provide their names and postal addresses when filling the cards in. To avail of Bounty’s services, recipients had no choice but to provide some personal data.
Continue Reading Sharing a Bounty of Personal Data? ICO issues £400,000 fine against UK pregnancy and parenting club for illegally sharing personal data

Denmark’s Data Protection Authority Datatilsynet (DPA) recently recommended its first fine for a breach of the GDPR by the taxi company, Taxa 4×35 (Taxa), due to its over-retention of certain customer data.

Breach of the data minimisation principle

The Danish DPA found that Taxa did not adhere to the GDPR’s data minimisation principle by over-retaining personal data long after the envisaged retention limit for such data, thereby finding an affirmative duty to delete expired personal data. Taxa had deleted customers’ names and addresses after two years of retention but had retained customers’ telephone numbers for an additional three years. Taxa argued that telephone numbers were an essential part of its IT database and therefore could not be deleted in the same time span.Continue Reading Danish DPA issues its first GDPR fine for late deletion of customer telephone numbers