Tag Archives: GDPR

Danish DPA issues its first GDPR fine for late deletion of customer telephone numbers

Denmark’s Data Protection Authority Datatilsynet (DPA) recently recommended its first fine for a breach of the GDPR by the taxi company, Taxa 4×35 (Taxa), due to its over-retention of certain customer data. Breach of the data minimisation principle The Danish DPA found that Taxa did not adhere to the GDPR’s data minimisation principle by over-retaining … Continue Reading

Council of Europe issues recommendation on processing health-related data

The Council of Europe (CoE) recently issued its recommendation to member states on the protection of health-related data (Recommendation). The Recommendation guides member states to ensure that their law and practice reflect the principles of processing health-related data. The recommendations stem from Convention 108 which was the first international treaty in the field of data … Continue Reading

Processing publicly available personal data without telling data subjects? The Polish data protection authority has (bad) news for you…

The Polish Data Protection Authority (UODO) imposed its first fine for a violation of the General Data Protection Regulation 2016/679 (GDPR). Bisnode, a data aggregation company headquartered in Sweden, was fined just under PLN 1 million (around EUR 220,000). The decision found that Bisnode had failed in its duties to inform data subjects how it … Continue Reading

Cooperation and consistency? Nine months in, the EDPB reflects on GDPR

The European Data Protection Board (EDPB) has published a report (Report) assessing the implementation and enforcement of the General Data Protection Regulation (EU) 2016/679 (GDPR). The Report focusses on how the cooperation and consistency mechanisms are being used by EU supervisory authorities (SAs). Cooperation mechanism Where cases involve cross-border processing, SAs cooperate through: Mutual assistance; … Continue Reading

Is the Dutch GDPR fining matrix setting the tone for the ICO’s future fining policy?

The Dutch Data Protection Authority (DPA) released its GDPR fining policy on 14 March 2019, becoming the first EU Member State supervisory authority to set out a structure for calculating administrative fines for failing to comply with the GDPR. Four categories of fines plus an aggravating category The legal maximum monetary fine that can be … Continue Reading

Involved in AI? The ICO wants to hear from you.

The Information Commissioner’s Office (ICO) is inviting organisations to help develop a framework for future auditing of artificial intelligence (AI). A team from the ICO’s Technology Policy and Innovation Directorate will develop the framework. The framework is intended to help regulators ensure AI applications are transparent, fair and appropriately risk assessed. As well as the … Continue Reading

How (not) to restrict GDPR access requests in employment proceedings – German court establishes high threshold

Procedural laws and principles contain a clear concept regarding which party must present and prove what information in court proceedings. Claimants in employment proceedings currently try to use the right to access of data subjects under Article 15 GDPR to shake this concept up. Judgment of the Higher Labour Court of Baden-Württemberg On 20 December … Continue Reading

Planet49: Advocate General’s opinion on cookies and consent bundling

On 21 March 2019, Advocate General Maciej Szpunar (“AG”) delivered an opinion on cookie consent, information obligations regarding cookies and consent bundling (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.). In the case at issue, users entering into a promotional lottery were confronted with two checkboxes: A checkbox obtaining … Continue Reading

e-Privacy meets GDPR – the European Data Protection Board shines some light

The European Data Protection Board (EDPB) published an opinion (Opinion) on the interplay between the ePrivacy Directive (Directive 2002/58/EC) and the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). The Opinion responds to questions submitted by the Belgian data protection authority, specifically: whether data protection authorities (DPAs) are competent to regulate processing that triggers both … Continue Reading

In privacy we (anti)trust: Regulators worldwide consider competition law as tool for consumer protection

On February 26, 2019, the Federal Trade Commission’s (FTC) Bureau of Competition announced a new Technology Task Force, which will monitor anticompetitive conduct in U.S. technology markets “to ensure consumers benefit from free and fair competition.” With the consumer protection agency already a chief arbiter of privacy enforcement in the tech sector, the new task … Continue Reading

Get your update on IT & Data Protection Law in our Newsletter (Winter 2019 edition)

The Winter 2019 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released. We provide updates on Facebook Custom Audiences, social plug-ins, influencer advertising, withdrawal right information, the EU copyright law reform and more. The newsletter also includes multiple recommended reads on the GDPR. We hope you enjoy … Continue Reading

FCA and ICO strengthen cooperation in renewed memorandum of understanding

On 18 February 2019, the Information Commissioner’s Office (ICO) and the Financial Conduct Authority (FCA) updated their Memorandum of Understanding (MoU) with an aim to reinforce and develop their cooperation, collaboration, and information and intelligence sharing. Cooperation and information sharing The ICO and FCA have set out what matters they will communicate with each other … Continue Reading

First annual report of the European Data Protection Supervisor since GDPR

On 26 February 2019, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, published his first annual report since the General Data Protection Regulation (GDPR) came into force last year. This is a short overview of some of the key themes in the EDPS’s annual report: Overview of 2018: GDPR: This is the first annual report of … Continue Reading

EDPB issues guidelines on GDPR certification

The European Data Protection Board (EDPB) has adopted guidelines in relation to the certification mechanism prescribed under the General Data Protection Regulation 2016/679 (GDPR). The EDPB guidelines are aimed at supervisory authorities and certification bodies and provide helpful insight into the requirements and criteria relevant to all types of certification mechanisms issued under articles 42 … Continue Reading

UK regulator to focus on ad-tech

On 6 March 2019, the Information Commissioner’s Office (ICO) will host a fact-finding forum in central London. The aim of this forum is to facilitate a dialogue between ad-tech stakeholders. The ICO wants to understand the complexities of ad-tech practices. Why ad-tech? ‘Ad-tech’ is the product of technology’s transformation of the advertising industry. It uses … Continue Reading

No-deal Brexit: EU regulators issue data transfer guidance

On 12 February 2019, the European Data Protection Board (EDPB) met for its seventh plenary session. You can see our blog on the full session here. At this session, the EDPB adopted two information notes. The information notes offer guidance on data protection issues in the event of a no-deal Brexit, namely: data transfers generally … Continue Reading

Draft amendments to China’s personal information standards proposed

China’s National Information Security Standardization Technical Committee issued draft amendments (Amendments) to the standards that govern the protection of personal information, “Information Security Technology – Personal Information Security Specification” (Standards, effective May 1, 2018) on February 1, 2019. The Standards provide guidance on interpreting China’s Cybersecurity Law (CSL) and set out best practices for the … Continue Reading

Updates from the European Data Protection Board

The European Data Protection Board (EDPB) met for its seventh plenary session on 12 February 2019. The session covered many areas of discussion, outlined in the agenda. The four main areas covered, and highlighted in the EDPB’s press release, were: 1. Work programme: The EDPB adopted a two-year work programme, covering 2019-2020. The work programme … Continue Reading

The interplay between the Clinical Trials Regulation and the GDPR

The European Data Protection Board (EDPB) recently adopted its opinion on the interplay between the Clinical Trials Regulation 536/2014 (CTR) and the General Data Protection Regulation 2016/679 (GDPR) (the opinion). The opinion was given at the request of the European Commission. The CTR seeks to harmonise the rules for conducting clinical trials throughout the European … Continue Reading

German supervisory authority audited 40 websites on the use of tracking tools – and none of them was compliant

The Bavarian Data Protection Authority (‘Bavarian DPA’) audited major Bavarian websites for their use of tracking tools on Safer Internet Day. It calls its findings “desolate”. None of the tracking tools were implemented in a compliant manner. Audit by the Bavarian DPA Tracking and the requirements for using cookies have been a highly debated topic … Continue Reading

Free flowing data for 127 million people: Japan and the EU break down personal data transfer barriers

On 23 January 2019, the European Commission adopted an adequacy decision for Japan, with immediate effect. The decision certifies Japan as having a comparable level of data protection to that of the European Union. On the same day, Japan adopted an equivalent decision regarding the EU’s data protection regime. This is the first example of … Continue Reading

First sanction decision rendered by the CNIL under the GDPR: GDPR awareness 2.0 has begun

In an interview dated February 2018,[1] Isabelle Falque-Pierrotin, at the Head of the French data protection authority (CNIL), stated that the CNIL would adopt a flexible and pragmatic approach from May 2018 onwards when controlling compliance with data protection requirements. The first decision of sanction rendered by the CNIL on Monday January 21, 2019, which … Continue Reading

Brexit countdown: UK government to amend domestic data protection legislation

The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 have been laid before the UK Parliament. The regulations are introduced under the European Union (Withdrawal) Act 2018. The Withdrawal Act grants powers to correct deficiencies in UK legislation that will arise as a result of Brexit. The regulations introduce a large … Continue Reading

‘No deal’ Brexit: ICO and UK government issue data protection guidance

The Information Commissioner’s Office (ICO) and the UK Department for Culture, Media and Sport (DCMS) have each issued no-deal Brexit data protection guidance. EU/UK personal data transfers The UK government has committed to incorporating the General Data Protection Regulation (GDPR) into domestic UK law when the UK leaves the EU. This means there will not … Continue Reading
LexBlog