fbpx

Free tools and resources for Data Protection Officers!

Tag Archives for " DPA "

Lithuania DPA isuues EUR 61,500 GDPR fine

Lithuanian data protection authority (State Data Protection Inspectorate) imposed the first administrative fine in Lithuania for violations of the General Data Protection Regulation (GDPR) amounting to EUR 61,500.

Sanctions to UAB “MisterTango” have been adopted for the excessive processing of data, the breach of personal data security in the payment service system (the list of payments was visible on the Internet for 2 days), and breach of data security was not reported to the supervisory authority.

Source: State Data Protection Inspectorate – Articles: The Company’s Responsibilities Will Not Be Avoided – Significant fine for violations of the General Data Protection Regulation in Lithuania

Irish data watchdog examining WhatsApp security flaw

Ireland’s data protection watchdog – the Irish Data Protection Commission- said it was “actively engaging” with WhatsApp’s Irish division to determine if EU user data had been impacted.

But because WhatsApp is still investigating whether any EU data was affected as a result of the flaw, the company has not notified the watchdog of the breach under the bloc’s stringent GDPR regulations. The commission therefore has not yet launched a formal investigation into the vulnerability.

Source: Irish data watchdog examining WhatsApp security flaw

Denmark Data Protection Auth. on GDPR & Voice Recordings

The Denmark Data Protection Authority (DPA) ruled on April 11, 2019, that affirmative consent is required when companies record customer telephone calls.

In this case company provided disclosures to its customers that calls may be recorded for training purposes, but did not offered a mechanism for customers to opt-in or opt-out of the recording. DPA rejected the company’s arguments that its recording practices served a legitimate interest, such as the improvement of its customer service, and concluded that the company’s telephone recording practices violated the GDPR.

Source: Denmark Data Protection Auth. on GDPR & Voice Recordings

Brussels Court of Appeal refers Facebook case to CJEU

Belgian Data Protection Authority (DPA) announced, on 8 May 2019, that the Brussels Court of Appeal issued its judgment in relation to the DPA’s proceedings against Facebook, Inc., following the pleading of the parties to the Court on 27 and 28 March 2019.

DPA highlighted that the Court did not rule on the merits of the case and decided to refer it to the Court of Justice of the European Union (CJEU) to be assessed in line with the General Data Protection Regulation (GDPR) seeking to ensure that the DPA can pursue the case against Facebook.

Source: Belgium: Brussels Court of Appeal refers Facebook case to CJEU

Dutch DPA Issues Guidelines on Privacy Policies Following Investigation

On April 17, 2019, the Dutch Data Protection Authority issued six recommendations for companies, to be taken into account when drafting privacy policies.

The published recommendations follow the Dutch DPA’s investigation of companies’ privacy policies. The investigation focused on companies that process sensitive personal data, including health data and data related to individuals’ political beliefs.

Full article: Dutch DPA Issues Guidelines on Privacy Policies Following Investigation | Privacy & Information Security Law Blog

The Spanish DPA publishes a list of processing operations for which a DPIA is mandatory

After having received the favorable opinion of the European Data Protection Board, the Spanish Data Protection Agency (“AEPD”) released last 6th May a list of processing operations for which it is necessary to carry out a privacy impact assessment.

Although the GDPR establishes criteria that help to identify those processing operations that involve a high risk, the supervisory authorities shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. In this context, the AEPD has published a list of processing operations determining that in the majority of cases where the processing meets two or more of the criteria on the list, a PIA will be necessary. The more criteria met by the processing analyzed, the greater the risk involved and the certainty of the need for a PIA.

Full article: The Spanish Data Protection Agency has published a list of processing operations for which a privacy impact assessment is mandatory

Irish DPA Examines Right to Rectification

In light of increased awareness of the rights granted to individuals under the new data protection legislation, Ireland’s data protection authority (DPA) – Data Protection Commission – has published a note to clarify aspects of the right to rectification of personal data.

In particular, it examines the case of recording of names of individuals that contain diacritical marks (for example, fadas in the Irish language).

Read note: Examination of Right to Rectification complaints | 30/04/2019 | Data Protection Commission

CNIL releases its 2018 annual report and announces its next challenges for 2019

On April 15 2019, the French Data Protection Authority (the “CNIL”) released its 2018 Annual Report.

In 2018 the CNIL:

  • received more than 11,000 data subjects’ complaints, which represents an increase of 32% as compared to 2017.
  • sought to provide professionals with guidelines and documentation and took into account the need for legal certainty in a context of increased sanctions and the demand for greater simplification for smaller businesses.
  • conducted 204 on-site inspections (including 20 on-site inspections of CCTV devices); 51 online inspections; 51 controls on a document production basis, and 4 hearings.
  • of the 310 controls carried out, only 11 sanctions were adopted by the Restricted Committee.

Source: CNIL releases its 2018 annual report and announces its next challenges for 2019 – Privacy, Security and Information Law Fieldfisher

The Irish Data Protection Commissioner opens investigations into 17 multinational tech companies

Speaking at the US Senate hearing, Helen Dixon has opened more than 50 investigations, some of which are expected to conclude by the end of the summer. The 50 investigations include domestic companies, public sector bodies and tech giants.

Source: The Irish Data Protection Commissioner opens investigations into 17 multinational tech companies

How one country blocks the world on data privacy

The GDPR is the world’s toughest standard for data privacy. But nearly a year later, its chief enforcer — the tiny nation of Ireland — has yet to take a single action against major tech firms like Facebook and Google.

Now, data-privacy experts and regulators in other countries alike are questioning Ireland’s commitment to policing imminent privacy concerns like Facebook’s reintroduction of facial recognition software and data sharing with its recently purchased subsidiary WhatsApp, and Google’s sharing of information across its burgeoning number of platforms.

Full article: How one country blocks the world on data privacy – POLITICO

>