fbpx

Download free GDPR compliance checklist!

Tag Archives for " sanctions "

First GDPR fine issued in Ireland

Eilis McDonald & John Magee Tusla, Ireland’s child and family agency, has become the first organisation fined under the GDPR in Ireland. The Irish Data Protection Commission (DPC) filed papers in the Circuit Court on Friday to confirm the €75,000 fine against the Agency.

Tusla collects and processes highly sensitive, often special category data concerning children, vulnerable women and families across Ireland. The DPC reported three separate statutory inquiries into Tusla in respect of a number of breaches which had been reported to it since May 2018. The breaches included various instances of inappropriate system access, accidental and inappropriate disclosure of personal data by email and unauthorised disclosure of data.

Source: IRELAND: First GDPR fine issued in Ireland

ICO Warns It Will Punish Those Abusing Data During COVID-19 Outbreak

The Information Commissioner’s Office has tweaked its approach the changing data environment that the COVID-19 pandemic is causing.

When it comes to a company’s employees and their health the data authorities stress that just because you are concerned about workers health doesn’t mean you should start collecting unnecessarily amounts of health data from them.

Source: ICO Warns It Will Punish Those Abusing Data During COVID-19 Outbreak

Belgian DPA Sanctions Company for Non-Compliance with the GDPR’s DPO Requirements

On April 28, 2020, the Litigation Chamber of the Belgian Data Protection Authority imposed a €50,000 fine on a company for non-compliance with the requirements under the General Data Protection Regulation related to the appointment of a data protection officer.

In its decision, the Litigation Chamber of the Belgian DPA upheld the alleged infringement of the GDPR’s DPO requirements (in particular Article 38(6) of the GDPR), arguing that by appointing the Head of the Compliance, Risk Management and Audit department as DPO, the company had failed to comply with its obligation to ensure that its DPO is free from any conflict of interest.

Source: Belgian DPA Sanctions Company for Non-Compliance with the GDPR’s DPO Requirements | Privacy & Information Security Law Blog

The Swedish DPA issues 18,700 euro fine against the National Government Service Centre

The Swedish Data Protection Authority imposes an administrative fine of 200,000 Swedish kronor (approximately 18,700 euro) on the National Government Service Centre for failing to notify affected parties as well as the Data Protection Authority about a personal data breach in due time.

The DPA noted that it took almost five months for the NGSC to notify the concerned parties and close to three months before the DPA received a data breach notification.

Source: The Swedish Data Protection Authority issues fine against the National Government Service Centre

Dutch DPA imposes fine on employer processing fingerprints of employees

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) issued a fine of EUR 725,000 for a company unlawfully processing fingerprints of its employees for attendance and time registration purposes.

The Dutch DPA concluded that the company in question did not have appropriate legal basis for processing fingerprints. First of all, the employer was not able to provide prove of having obtained explicit consent of employees.

Secondly, the Dutch DPA concluded that the “necessity” exception can only be relied upon when buildings and information systems need to be secured in such a way that this cannot be done without using (only) biometrics.

Source: The Netherlands: Fine imposed on employer processing fingerprints of employees

Court approves Facebook’s $5 Billion Privacy Settlement

A judge approved Facebook Inc.’s $5 billion settlement with the Federal Trade Commission over privacy violations, the agency says—overruling objections that the deal didn’t adequately punish the company.

Judge Timothy Kelly of the U.S. District Court for the District of Columbia greenlighted the deal reached last summer, which included the $5 billion fine, restrictions on some aspects of Facebook’s business decisions, and ongoing oversight of the social media giant.

Source: Facebook’s $5 Billion Privacy Settlement Wins Court Approval – WSJ

Europe’s Privacy Law Hasn’t Shown Its Teeth, Frustrating Advocates

Nearly two years in, there has been little enforcement of the General Data Protection Regulation, once seen as ushering in a new era.

Since the law was enacted, in May 2018, Google has been the only giant tech company to be penalized — a fine of 50 million euros. No major fines or penalties have been announced against Facebook, Amazon or Twitter.

The inaction is creating tension within European governments, as some leaders call for speedier enforcement and broader changes. Privacy groups and smaller tech companies complain that companies like Facebook and Google are avoiding tough oversight.

Europe’s challenges risk undermining efforts elsewhere in the world to create tougher privacy rules.

Source: Europe’s Privacy Law Hasn’t Shown Its Teeth, Frustrating Advocates – The New York Times

Google’s Right-to-Be-Forgotten Fine Toppled by French Court

Google won a battle over the right to be forgotten after France’s top administrative court canceled a fine of 100,000 euros ($111,000) for failing to remove contentious search results globally.

France’s Council of State threw out the 2016 penalty, following guidance from the European Union’s highest court which last year backed the Alphabet Inc. unit by saying it should only scrub search results on European versions of its websites.

Source: Google’s Right-to-Be-Forgotten Fine Toppled by French Court – BNN Bloomberg

Brussels Court of Appeal overrules first DPA fine to a private company

On Feb. 19, the Brussels Court of Appeal overruled one of the first decisions of the Belgian Data Protection Authority in a case involving the use of an electronic ID to get a loyalty card.

The Brussels Court of Appeal held that the customer did not give her identity card and, consequently, there was no processing of her data. Therefore, according to the court, the DPA did not demonstrate an actual personal data breach.

The court still underlined there was no prejudice for a customer because they could not get a loyalty card and therefore get a discount. There is no prejudice when one possible extra benefit is lost. It would have been different if the reading of the electronic ID was required to exercise a legal or contractual right.

Source: Brussels Court of Appeal overrules first DPA fine to a private company

Croatian DPA issues credit institution 20m GDPR fine

The Croatian data protection authority (AZOP) has imposed a fine of EUR 20m for violating the EU General Data Protection Regulation.

Since October 2018, AZOP had been receiving multiple complaints from citizens regarding one of Croatia’s credit institutions based in Zagreb, whereby citizens were asking the institution for a request for information but were being refused.

Source: #Privacy: Croatian DPA issues credit institution 20m GDPR fine

>