Download free GDPR compliance checklist!

Tag Archives for " DPA "

€114 Million in Fines Imposed by EU Authorities Under GDPR

New findings from DLA Piper show that 160,000 data breach notifications reported across 28 European Union Member States and data protection authorities have imposed €114 million in monetary fines under the GDPR for a wide range of infringements. Not all fines were related to data breach infringements, however.

In terms of the total value of fines issued by geographical region, France (€51m), Germany (€24.5m) and Austria (€18m) topped the rankings, whilst the Netherlands (40,647), Germany (37,636) and the UK (22,181) had the highest number of data breaches notified to regulators.

Source: €114m in Fines Imposed by Euro Authorities Under GDPR – Infosecurity Magazine

Italy fines gas company EUR 11.5 million for unsolicited telemarketing

The Italian Supervisory Authority imposed two fines on Eni Gas and Luce (Egl), totalling EUR 11,5 million, concerning respectively illicit processing of personal data in the context of promotional activities and the activation of unsolicited contracts.

The first fine of EUR 8,5 million relates to unlawful processing in connection with telemarketing and teleselling activities – advertising calls made without the consent of the contacted person or despite that person’s refusal to receive promotional calls, or without triggering the specific procedures for verifying the public opt-out register; the absence of technical and organisational measures to take account of the indications provided by users; longer than permitted data retention periods; and the acquisition of the data on prospective customers from entities (list providers) that had not obtained any consent for the disclosure of such data.

The second fine of EUR 3 million concerns breaches due to the conclusion of unsolicited contracts for the supply of electricity and gas under ‘free market’ conditions – many individuals learned about the conclusion of a new contract only on receiving the letter of termination of the contract with the previous supplier or else the first Egl bills.

Source: THE ITALIAN SUPERVISORY AUTHORITY FINES ENI GAS E LUCE EUR 11.5 MILLION – On account of unsolicited telemarketing and contracts

‘Prepare for ICO to utilise its wider powers’: UK regulator issues warning to adtech

The UK’s data regulator, the Information Commissioner’s Office (ICO), has issued a warning to any adtech companies which have failed to “use the window of opportunity to engage and transform” their practices – it’s coming for them.

The ICO’s update on its investigation into the adtech sector reveals it focused on specific issues such as the treatment of “special category data” – like race, sexuality and health – as well as how secure data is as it’s passed through the supply chain and the thorny issue of Legitimate Interest.

Source: ‘Prepare for ICO to utilise its wider powers’: UK regulator issues warning to adtech | The Drum

ICO Delays British Airways and Marriott GDPR Fines

Further to the publication of the ICO’s notices of intention to fine British Airways and Marriott in July 2019, the ICO has recently issued a statement delaying the issuance of both GDPR fines which had originally been expected by the end of 2019.

The ICO’s initial notices of intention to fine had stated that British Airways would face a fine of £183m ($228m) and Marriott, a fine of £99m ($123m). ICO will now have until March 31, 2020 to finalize the penalties imposed on both British Airways and Marriott, which were the result of two high-profile data breaches and subsequent ICO investigations.

Source: ICO Delays British Airways and Marriott GDPR Fines

ICO launches consultation on draft direct marketing code of practice

The Information Commissioner’s Office (ICO) has launched a public consultation on a draft direct marketing code of practice.

The ICO has previously produced direct marketing guidance and the draft code builds on this, as well as taking into account the input received during the initial call for views. The code takes a practical life-cycle approach to direct marketing.

The code is out for consultation until 4 March 2020 and the final version is expected later this year. You can read the code and take part in the consultation through the ICO website.

Source: ICO launches consultation on draft direct marketing code of practice | ICO

First Ever UK GDPR Penalty is €325k for London Pharmacy

The first ever General Data Protection Regulation (GDPR) penalty in the United Kingdom has been sanctioned against a London-based pharmacy by the Information Commissioner’s Office (ICO).

ICO has fined Doorstep Dispensaree €325,000 (UK£275,000) by the Information Commissioner’s Office (ICO) in relation to its ‘cavalier attitude to data protection’. This decision was taken after it was discovered that that Burnt Oak Broadway, Edgware based pharmacy placed 500,000 medical documents that included sensitive information in unsecured and unlocked containers, disposal bags and in a cardboard box.

Source: First Ever UK GDPR Penalty is €325k for London Pharmacy – Compliance Junction

Max Schrems Files GDPR Complaints with French DPA on Cookie Use

European privacy advocacy group None of your business (NOYB)—led by Max Schrems—announced it had filed three formal complaints with the French data protection authority (CNIL) against three French websites for  sending digital signals to tracking companies claiming that users had agreed to be tracked online, despite the same users rejecting such cookies.

Despite users going through the trouble of “rejecting” countless cookies on the French eCommerce page CDiscount, the movie guide Allocine.fr and the fashion magazine Vanity Fair, these webpages have sent digital signals to tracking companies claiming that users have agreed to being tracked online.

Source: Say “NO” to cookies – yet see your privacy crumble? | noyb.eu

UK ICO publishes new guidance on special category data

On November 14, 2019, the UK Information Commissioner’s Office (ICO) published detailed guidance on the processing of special category data.

The guidance sets out

  • what are the special categories of data,
  • the rules that apply to the processing of special category data under the General Data Protection Regulation (GDPR) and UK Data Protection Act 2018 (DPA);
  • the conditions for processing special category data; and
  • additional guidance on the substantial public interest condition, including what is an “appropriate policy document”.

Source: UK ICO publishes new guidance on special category data

The ICO are owed £7m in unpaid fines

The Information Commissioner’s Office (ICO) are struggling to collect monetary penalties from organisations it has fined since 2015.

152 fines have been issued since 2015, equating to £16.6 million – however, 30% are still unpaid which amounts to over £7 million.

Fines handed to charities and public organisations have all been paid, however the main culprits for non-payment are in the claims management industry. The industry has received a total of £3.2 million in fines, yet only £490,000 has been collected, and an overwhelming 84% remains unpaid.

Source: #Privacy: The ICO are owed £7m in unpaid fines

Dutch DPA fines company for not using 2FA

The Dutch Data Protection Authority imposed an order for incremental penalty payments of 150,000 euros per month with a maximum of 900,000 euros because the security level of the employer portal is not adequate.

A portal operated by UWV contains employee health data. DPA decided that because the UWV does not apply multi-factor authentication when granting access to the online employer portal, security is insufficient.

Source: AP forces UWV to better protect data with sanctions | Dutch Data Protection Authority