Authors: Verena Grentzenberg, Andreas Rüdiger, Ludwig Lauer In his Opinion of 27.04.2023 (C 340/21), the Advocate General of the European Court of Justice (“ECJ”) commented on the interpretation of the civil non-material right to damages pursuant to Article 82 (1) GDPR as well as on the requirements and the duty of disclosure of the technical …
On 27 July 2022, the highest administrative court in the Netherlands, published its highly anticipated judgment involving the Dutch Data Protection Authority’s assessment of “legitimate interest” under Article 6(1)(f) GDPR. It was expected that the court would provide some clarification on whether “purely commercial interests” can qualify as legitimate interests within the meaning of Article …
Authors: Zoltán Kozma, Mark Almasy The Hungarian Data Protection Authority (Nemzeti Adatvédelmi és Információszabadság Hatóság, NAIH) has recently published its annual report in which it presented a case where the Authority imposed the highest fine to date of ca. EUR 670,000 (HUF 250 million). The case involved the personal data processing of a bank (acting …
On 16 November 2021, the French data protection supervisory authority (the “CNIL”) published a practical guide (“Guide”) on Data Protection Officers (“DPOs”). The Guide provides a reminder of the applicable obligations regarding the designation, tasks and missions of DPOs as well as good practices to help organizations comply with their obligation to designate a DPO …
France: The CNIL publishes a practical guide on Data Protection Officers Read More »
In a legal dispute to be decided by the German Federal Labor Court, the court had the opportunity to rule on the highly controversial scope of the right to information under Art. 15 GDPR. Specifically, the issue was whether or to what extent Art. 15 GDPR grants a right to receive copies of e-mails. This question is controversially discussed, particularly in the employment context. A decision on the merits was not issued, however, because the court already considered the claim to be too vague and therefore dismissed it as inadmissible. This result, nevertheless, is disappointing only at first glance. Rather, the decision is likely to provide an important guidepost for dealing with information claims and will hopefully, at least in part, cause a rethink.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA”) has published its decision to impose an administrative fine of EUR 440,000 on Amsterdam hospital OLVG due to the lack of sufficient measures to prevent access to medical records by unauthorised personnel. After complaints, the Dutch DPA conducted an investigation, and carried out an audit of …
By Denise Lebeau-Marianna – Partner and Yaël Hirsch – Senior Associate The French Supervisory Authority (the “CNIL”) has issued new updated guidelines on data retention during the month of July (the “CNIL’s Guidelines”)[1]. They provide more practical guidance and update the CNIL previous Recommendations dated 11 October 2005 on the conditions of archiving personal data[2]. …
On 28 July 2020, the French Supervisory Authority (the “CNIL”) sanctioned the online shoes retail company, SPARTOO SAS, by a €250,000 fine and an injunction to comply with GDPR within 3 months under penalty for various non-compliances with the GDPR of the personal data processing related to clients, prospects and employees[1]. I. Factual background and …
Mobile applications supporting the EU in its fight against Covid-19: the common EU Toolbox for Member States By Heidi Waem and Alizée Stappers On the 8th of April 2020, the European Commission adopted Recommendation 2020/518 to address the need of a common toolbox (the “Toolbox”) for the use of technology and data in order to …
EU: Europe’s toolbox for building compliant Corona tracking apps Read More »
International Data Protection Day, which falls annually on January 28, is “an international effort to create awareness about the importance of respecting privacy, safeguarding data and enabling trust”. We would like to take this opportunity to share a number of data protection resources developed by our global Data Protection, Privacy and Security team to assist …
On 16 October 2019 – after weeks of rumors and speculations – the German data protection authorities (‘DPAs’) published their guidelines (‘Guidelines’) for calculating administrative fines under Article 83 General Data Protection Regulation (‘GDPR’). The Guidelines are intended to guide enforcement action by German DPAs against business ‘undertakings’. They do not apply to individuals or associations …
GERMANY: Data Protection Authorities Issue GDPR Fining Guidelines Read More »
Multinationals increasingly turning to BCRs as providing more legal certainty for personal data transfers from the EU The EU General Data Protection Regulation (“GDPR”) brought about stricter data protection rules, and increased penalties for breaching these rules. For many multinationals this has led to reconsidering their framework for transferring personal data from the EU to …
EU: Binding Corporate Rules are Generating Greater Interest Read More »
In its landmark decision of the 24th of September (C-507/17), the EU Court of Justice in Luxembourg has sided with Google over a claim by the French supervisory authority regarding the application of the so-called ‘right to be forgotten’. This right refers to the ability for individuals in Europe to demand that search engines, such …
Europe: ‘Right to be forgotten’, but only in Europe? Read More »
Today, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA“) issued its first GDPR-fine of EUR 460,000. The fine is imposed on the Dutch Haga Hospital for having an insufficient internal security of patient records. The fact that the first GDPR-fine was imposed on a hospital isn’t a complete surprise, as already in December 2018, …
The Netherlands – First GDPR fine imposed: EUR 460,000 Read More »
Updated official guidance on direct marketing appears to be on the horizon: the Belgian Data Protection Authority has launched a public consultation on direct marketing, with a view to updating its Recommendation No. 02/2013 of 30 January 2013 on direct marketing. In its 2013 Recommendation, available in Dutch and French, the Belgian DPA covered several …
The first GDPR fine was issued in Italy by the Garante for the lack of implementation of privacy security measures following a data breach on the so-called Rousseau platform operating the websites of the Movimento 5 Stelle party.
by Patrick Van Eecke & Gilles Hachez A little less than a month ago, the Belgian House of Representatives appointed the new commissioner and directors of the Belgian Data Protection Authority (DPA), as we explained in our blogpost here. Today, little less than eleven months after the establishment of the DPA, the new commissioner, Mr …
By Denise Lebeau-Marianna and Caroline Chancé On 11 April 2019, the French Data Protection Supervisory Authority (CNIL) published two draft standards intending to provide practical guidance in relation to the processing of personal data for HR management and whistleblowing systems. The purposes of such standards is to: Assist businesses in their compliance process, and Help …
FRANCE: The CNIL publishes new standards on HR management and whistleblowing schemes Read More »
The Dutch Data Protection Authority published an article in which it again affirms that testing employees on alcohol, drugs or medicines can only be performed if there is a specific legal basis to carry out such tests. Earlier, the Dutch DPA gave an explanation on some Q&A’s on this subject. The Dutch DPA states that …
The Netherlands – DPA reiterates strict position on alcohol, drug and medicine testing Read More »
On 7 March 2019, the Dutch Supervisory Authority (“S.A.”) created quite some buzz in the online Dutch (advertising) industry: websites that only give visitors access to their site if they agree to tracking cookies (or similar technologies) do not comply with the GDPR. This also means that the so-called cookie walls that are placed on …
