fbpx

Download free GDPR compliance checklist!

Tag Archives for " sanctions "

ICO fines British Airways £20m for data breach affecting more than 400,000 customers

The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.

An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

Source: ICO fines British Airways £20m for data breach affecting more than 400,000 customers | ICO

ICO Launches Consultation on Its Draft Statutory Guidance

On October 1, 2020, the UK Information Commissioner’s Office (ICO) launched a public consultation on its draft Statutory Guidance.

The Guidance provides an overview of the ICO’s powers and how it intends to regulate and enforce data protection legislation in the UK, including its approach to calculating fines.

Source: ICO Launches Consultation on Its Draft Statutory Guidance

Fashion chain H&M fined $35m for snooping on employees

Fashion chain H&M has been fined $35million for data protection breaches, including recording and sharing private information about hundreds of employees among managers.

Hamburg’s data protection commissioner said the company collected private information about employees at a customer service in Nuremberg.

After absences, such as vacations and sick leave, supervisors would conduct “welcome back talks” with members of staff. The data protection commissioner said: “After these talks, in many cases not only the employees’ concrete vacation experiences were recorded, but also symptoms of illness and diagnoses.

Source: Fashion chain H&M fined $35m for snooping on employees

Danish hotel group fined for failing to delete customers’ details

The Arp-Hansen Hotel Group in Denmark has been fined 1.1m Danish crowns (US$170,000, €148,000) and referred to the police by the country’s data protection authority (Datatilsynet) for storing information on clients longer than necessary.

In an audit visit, the DPA found there were customer profiles which should have been deleted several years earlier. The authority considers 500,000 entries ought to have been erased from the group’s systems.

Source: Danish hotel group fined for failing to delete customers’ details

CNIL Adopts Its First Sanction as Lead Supervisory Authority

French Data Protection Authority (CNIL) has levied a fine of €250,000 on French online shoe retailer, Spartoo, for various infringements of the EU General Data Protection Regulation (GDPR). This is the first penalty under the GDPR enforced by the CNIL as the lead supervisory authority (Lead SA) in cooperation with other EU supervisory authorities.

The CNIL’s investigation focused on the processing of personal data of Spartoo’s existing and prospective customers, and on the recording of telephone conversations between customers and Spartoo’s customer service. The investigation revealed several infringements of the GDPR, including (1) absence of a defined data retention period(s), (2) no regular erasure of existing and prospective customer personal data, and (3) improper acceptance of weak passwords for online customer accounts.

Source: CNIL Adopts Its First Sanction as Lead Supervisory Authority, Fining French Online Shoe Retailer

Italy tops GDPR penalty list with €46m worth of fines this year

Businesses operating within the European Union have been hit with a total of €68 million in fines relating to GDPR breaches so far in 2020.

Over €45 million of that came from Italian-owned companies, as result of 13 separate investigations. Sweden came in second, with €7.3 million in fines from 4 cases, while the Netherlands were ranked third with €2.8 million worth of penalties.

Source: Italy tops GDPR penalty list with €46m worth of fines this year | IT PRO

Belgian DPA imposes a €600,000 fine on Google Belgium for non-compliance with right to be forgotten

On 14 July 2020, the Belgian DPA imposed a fine of EUR600,000 on Google Belgium SA/NV (Google Belgium) for not respecting a Belgian resident’s right to be forgotten. This is the highest fine ever imposed by the Belgian DPA.

The complainant, an executive at an unnamed large company, had requested the removal of 12 URLs which he considered to be harmful to his reputation. These URLs concerned, on the one hand, search results regarding alleged links with a certain political party, and on the other hand, a harassment complaint declared unfounded in 2010. As Google had refused to remove several of the concerned links, the complainant referred the case to the Belgian DPA.

Source: Belgium: Belgian DPA imposes a EUR600,000 fine, its highest fine ever, on Google Belgium for non-compliance with right to be forgotten

EU regulators wrangle over Twitter data privacy penalty

European Union privacy regulators are wrangling over the penalty Ireland’s data privacy watchdog was set to issue Twitter for a data breach, pushing back the case’s long awaited conclusion under the bloc’s tough new data privacy rules.

The Irish Data Privacy Commission was expected to issue its decision in the Twitter case, which would be its first involving a US technology company since the new privacy law, known as GDPR, took effect in 2018, allowing for hefty fines.

But it said on Aug 20 that its counterparts in other countries – so-called concerned supervisory authorities – challenged a draft decision it circulated in May.

Source: EU regulators wrangle over Twitter data privacy penalty | The Star

GDPR supervisory authorities issued €2.9 million in fines in Q2 2020

There were at least 46 administrative fines under the GDPR in the past three months, with the penalties totalling nearly €2.9 million.

The Spanish Data Protection Authority led the way this quarter, issuing 16 fines. Meanwhile, Nordic countries were a large contributor to the quarter’s totals, with both the Norwegian Data Protection Authority and Finland’s Office of the Data Protection Ombudsman meting out four fines, and Sweden’s supervisory authority handing out three fines.

Source: GDPR supervisory authorities issued £2.6 million in fines in Q2 2020 – IT Governance UK Blog

UK data watchdog having a hard time making GDPR fines stick

British Airways expects the fine for its 2018 credit card data leak to be just 10.8 per cent of the £183m proposed by the UK data watchdog – while US hotel chain Marriott has both halved and kicked its own data blunder punishment into the long grass once again.

Mishcon’s Baines pondered whether the amount of ICO effort devoted to the two cases had disrupted its other data protection enforcement work: “One wonders if the effect of the BA and Marriott investigations has also been to cause work on other enforcement action to be paused, or at least delayed,” he mused, referring to boasts from Information Commissioner Elizabeth Denham last year that she was about to announce more big GDPR fines.

Source: UK data watchdog having a hard time making GDPR fines stick: Marriott scores another extension, BA prepares to pay 11% of £183m penalty threat • The Register

1 2 3 24
>