Free tools and resources for Data Protection Officers!

Tag Archives for " DPA "

Increasing Fines Expected from German DPAs

In Germany, DPAs are investigating a broad range of non-compliance issues and showing a tendency toward increasing their enforcement activities, to the point that we expect an announcement of increasing GDPR sanctions and fines in Germany in the near future.

Source: GDPR Enforcement Update: Increasing Fines Expected from German DPAs

GDPR codes must meet admissibility requirements

Trade bodies considering drawing up new codes of conduct to govern data privacy practices in their sector will be required to meet admissibility requirements before those codes will be assessed for their compliance with the General Data Protection Regulation (GDPR), a data protection watchdog has said.

Source: GDPR codes must meet admissibility requirements

What happened to the one-stop shop?

At the time of the adoption of the EU General Data Protection Regulation, the European Commission touted as the benefit for companies that the GDPR would bring a one-stop-shop enforcement mechanism, whereby in respect of controllers or processors with more establishments in the EU, the supervisory authority of the “main establishment” of such controller or processor in the EU will serve as the “lead SA” in respect of its “cross-border processing” activities.

In the first landmark enforcement decision under the GDPR, the CNIL fined Google 50 million euros, despite the fact that the complaints concerned cross-border processing in the EU, which calls for one-stop shop enforcement.

Full article: What happened to the one-stop shop?

Austrian Data Protection Authority finalises investigation into Österreichische Post AG

The Austrian Data Protection Authority has finalised its investigation into the Austrian Post (Österreichische Post AG) and issued a decision stating the Austrian Post has violated several provisions of the GDPR.

Specifically, the Austrian DPA is of the opinion that the Austrian Post processes special categories of personal data (political opinions) by attributing preferences for certain political parties to data subjects by using statistical calculation methods, without explicit consent given by the data subjects. Furthermore, it found, DPIA for this kind of processing and the record of processing activities were erroneous.

The Austrian DPA imposed an immediate ban on these processing operations, ordered the erasure of the data and ordered the Austrian Post to carry out a new DPIA and to rectify its record of processing.

Source: Austrian Data Protection Authority finalises investigation into Österreichische Post AG

Hellenic DPA does “ex officio” GDPR compliance investigation

The Hellenic DPA, in order to a) explore the level of compliance with the General Data Protection Regulation (GDPR) and the specific legislation on e-privacy, b) raise the awareness of data controllers and data subjects, and also c) exercise its envisaged powers, has carried out “ex officio” investigation.

Investigation was initiated in December 2018 and is still ongoing. The Hellenic DPA carried out an investigation to 65 controllers operating online in the fields of financial services, insurance, e-commerce, ticket services and public sector services. DPA  explores the way specific requirements are met in the areas of transparency, the use of cookies, email marketing and the security of websites.

Source: Initial conclusions from the Hellenic DPA’s “ex officio” GDPR compliance investigation

Company closure and 4-year ban for director after marketing regulation breach

A director of a lead generating service has been banned for four years after failing to ensure his company complied with text message regulations.

Lad Media Limited sent over 393,000 SMS messages were sent to members of the public, including to individuals whom had withdrawn their consent regarding the receipt of marketing texts or calls.

Irrespective of Lad Media’s claim that the illegal marketing had not been their fault, but was instead due to the actions of third parties, the ICO imposed a fine of £20,000.

Source: Company closure and 4-year ban for director after marketing regulation breach

Austrian DPA takes “result-oriented perspective” in data erasure decision

The Austrian data protection authority (‘DSB’) published, on 30 January 2019, its decision, dated 5 December 2018, on the right to data erasure, further to an individual’s complaint.

In particular, the DSB highlighted that the complainant had alleged that an unnamed insurance company had infringed his right to data erasure by only deleting data stored for marketing purposes and anonymising the remainder.

Full article: Austria: DSB takes “result-oriented perspective” in data erasure decision

Google remain under ICO scrutiny for GDPR misdemeanours

The Information Commissioner’s Office is to work alongside regulators in Europe to establish whether Google has fallen foul of more GDPR rules.

The ICO, which enforces European data law in the UK, is now investigating measures to take following a number of complaints raised against the tech giant.

Source: Google remain under ICO scrutiny for GDPR misdemeanours

EU DPAs urged to act against online ad auctions

Panoptykon Foundation, the Warsaw based digital rights organization, has joined in the complaints filed in the UK and Ireland in September by Jim Killock of the Open Rights Group, Michael Veale of University College London, and Dr Johnny Ryan of Brave.

Together, the complainants in Ireland, Poland, and the UK, have also filed new evidence today with the national data protection authorities of Ireland, Poland, and the United Kingdom, that reveals how ad auction companies, including Google, unlawfully profile Internet users’ religious beliefs, ethnicities, diseases, disabilities, and sexual orientation.

Full article: Update on GDPR complaint (RTB ad auctions)

Learning from Google’s record-setting GDPR fine

With the French Data Protection Authority (CNIL) disclosing on January 21 st a 50 million euro fine against Google LLC, we now have a precedent against which to evaluate the impact and reach of GDPR enforcement.

This is significant as, with this precedent, we can determine some of the factors a Data Protection Authority (DPA) will use in assessing the extent of a given violation.

Full article: Learning from Google’s record-setting GDPR fine

>