Here is our monthly data protection news and update blog from the Evalian team, providing some of the news items you may have missed together with links to 3rd party sites which provide more information.
As we enter the second year of the GDPR coming in to force we are starting to see EU data protection authorities issue fines. Unsurprisingly the CNIL in France has been active, but so too has Datatilsynet in Denmark. We’ve rounded up some of the recent enforcement action in this update along with some news from the UK Information Commissioner.
UK – ICO Focus for Second Year of GDPR
At the end of May, The Information Commissioner, Elizabeth Denham published an update marking the first anniversary of the GDPR. In it the Commissioner remarked that the focus for the second year will go beyond baseline compliance with emphasis on organisational accountability. Her warning is stark “for those who do not take this responsibility seriously or those who break the law, we will act swiftly and effectively”.
Denmark – €200k fine for Excessive Data Retention
The Danish data protection authority (Datatilsynet) has proposed a fine on IDdesign, a furniture store, for failing to implement and enforce a data retention policy. IDdesign continued to hold the personal data of 385,000 customers including their names, addresses and purchase histories on an old computer system that was phased out in 2015. The fine proposed is 1.5m kroner which is approx. €200,000.
France – €400k fine for Security & Retention Issues
The French data protection authority (CNIL) has fined a French real estate business, Sergic, €400,000 for failing to address security flaws (thereby not processing personal data securely) and for retaining personal data for longer than was necessary. Property rental users logging in to Sergic’s web portal could access other users’ personal documents with little effort, including copies of ID cards, banking information and more. Sergic knew of the vulnerability and was also keeping documents of unsuccessful rental candidates indefinitely.
Poland – €200k fine for Privacy Notice Failures
The Polish data protection authority (PUODO) has fined a data aggregation business Bisnode for failing to send a privacy notice to data subjects whose personal data they collected indirectly. Bisnode aggregates data, including personal information, from publicly available registers. The fine issued, which many consider to be harsh and which is subject to appeal by Bisnode, was for PLN 1 million which is approx. €230k.
UK – Recent Enforcement focus on ‘Fairness’
Whilst we’ve yet to see any meaningful GDPR enforcement action in the UK, the ICO has been busy finalising actions under the Data Protection Act 1998, with a real focus on the ‘fairness’ of processing by organisations including Newham Council, True Visions Productions and Bounty. We’ve reviewed these and other enforcement actions to identify what we can learn from these cases.
Have a question?
If you have any questions about any of the updates provided, please don’t hesitate to get in contact. You can contact us here.Get in touch