Free tools and resources for Data Protection Officers!

Tag Archives for " DPA "

Uber fined €400,000 in France over data breach

Uber in France has been hit with a €400,000 fine by the country’s data protection watchdog in response to a major data breach the company experienced in 2016.

The Commission Nationale de l’information et des Liberties (CNIL) said 1.4 million customers of Uber France SAS were impacted by the breach and said it could have been prevented if the company had implemented “basic security measures”.

Full article: Uber fined €400,000 in France over data breach

In Spain, data breach notifications increase since the entry into application of the GDPR

The Spanish data protection authority – Agencia Española de Protección de Datos or AEPD – has received 418 notifications of data breaches since the entry into application of the GDPR. Of these 418 notifications, only 11 have required additional investigation by the DPA.

In the latest annual report published by AEPD, the DPA reports that complaints had already increased by 37% from 2015-2017, and that in 2017, the authority received around 10 500 complaints.

Source: In Spain, data breach notifications increase since the entry into application of the GDPR

GDPR era heralds new peak in number of data breach whistleblowers

The number of whistleblowers lifting the lid on data breach events has tripled in the time since May 25 th 2018, when the EU’s General Data Protection Regulation came into force, the Financial Times online reports.

The Information Commissioner’s Office (ICO), which is the regulatory body for the GDPR in the UK, has received an escalating number of confidential reports on the issue, as illustrated by new data that reveals rising anxiety among the public regarding cyber security and privacy online.

Full article: GDPR era heralds new peak in number of data breach whistleblowers

Dutch DPA Publishes Post-GDPR Complaints Report

On December 13, 2018, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) published a report on the complaints it has received since the EU General Data Protection Regulation (GDPR) became applicable on May 25, 2018.

In the past six months, (between May 25, 2018 and November 25, 2018), 22,679 individuals have contacted the Dutch DPA to obtain more information about the GDPR or to file a complaint. The Dutch DPA has received 9,661 complaints from data subjects, of which 44% are pending.

Full article: Dutch DPA Publishes Post-GDPR Complaints Report

No-deal Brexit will block critical data transfers from EU

Despite bringing the General Data Protection Regulation (GDPR) into UK law in the form of the Data Protection Act 2018, leaving the EU without a deal in place means Britain will be, for a time, classed as a ‘third country’ until an adequacy agreement can be implemented.

This means that while some data can be transferred from the UK to European Economic Area (EEA) countries, something supported by the UK government, there will be a stop to all flow of personal information in the opposite direction until a data adequacy agreement comes into force, according to the ICO.

Full article: No-deal Brexit will block critical data transfers from EU, warns ICO | IT PRO

New Guidance on GDPR Data Processing Contracts Published by the UK ICO

The U.K. Information Commissioner’s Office (ICO) recently published guidance on contracts between controllers and processors. This new guidance provides a more in-depth and detailed discussion of the key issues than did a previously released primer published by the ICO, which set out key points along with helpful checklists.

The new guidance discusses (1) when a contract is needed and why, (2) specifically what terms need to be included in the contract, (3) the responsibilities and liabilities of controllers when using a processor, and (4) the responsibilities and liabilities of processors.

Full article: New Guidance on GDPR Data Processing Contracts Published by the UK ICO

Irish Government Department Investigated in Possible GDPR Breach

The Department of Employment Affairs and Social Protection is being investigated for possible General Data Protection Regulation breaches in relation to the body’s data protection officer being prevented from successfully completing their work.

Digital Rights Ireland submitted the complaint following revelations that the secretary general of the Department of Employment Affairs and Social Protection directed that amendments be made to to the department’s online privacy policy to delete a reference to its collection of people’s biometric data, not involving data protection officer in such decision.

Source: Irish Government Department Investigated in Possible GDPR Breach – Compliance Junction

Dispatch from Brussels: GDPR enforcement, guidance to come in 2019

During her interview with IAPP Chief Knowledge Officer Omer Tene, Dixon said major GDPR-related fines will not come down the pike in 2018, but it’s safe to expect some fines in 2019. This notion was foreshadowed earlier in the day by the EDPB’s Jelinek during her keynote address.

Notably, both Jelinek and Dixon said no cross-border cases have been escalated to the EDPB. But that doesn’t mean enforcement is far away.

Full article: Dispatch from Brussels: GDPR enforcement, guidance to come in 2019

ICO issues the first fines to organisations that have not paid the data protection fee

Organisations across the business services, construction and finance sectors are among the first to be fined by the ICO for not paying the data protection fee.

All organisations, companies and sole traders that process personal data must pay an annual fee to the ICO unless they are exempt. Fines for not paying can be up to a maximum of £4,350.

Source: ICO issues the first fines to organisations that have not paid the data protection fee. | ICO

Germany’s first fine under the GDPR offers enforcement insights

On Nov. 21 , the State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) imposed the first fine under the GDPR in Germany – on a social media company for a violation of its data security obligations.

This is not the first GDPR-related fine in Europe which has become publicly known: the Austrian DPA imposed a €4,800 fine for illegal video surveillance activities, and a €400,000 fine was imposed in Portugal on a hospital after staff members illicitly accessed patient data. However, the current example from Germany provides further insights into how DPAs intend to use their new, heightened fining powers under GDPR.

Full article: Germany’s first fine under the GDPR offers enforcement insights

>