Tag archives: DPA

First multi-million GDPR fine in Germany: €14.5 million for not having a proper data retention schedule in place

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Enforcement
Data Protection Report - Norton Rose FulbrightOn October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen),  the highest German GDPR fine to date. The infraction related to the over retention of personal … Continue reading

Deadline extended for compulsory registration on Data Controller registry

Photo of Ekin Inal (TR)By Ekin Inal (TR) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blogObligations We previously reported that Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior … Continue reading

Parenting support club Bounty fined in ‘unprecedented’ data breach

Photo of Lara White (UK)By Lara White (UK) on Posted in Enforcement
Norton Rose Fulbright - Data Protection Report blogOn 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 … Continue reading

German DPAs publish templates and guidance on records of processing activities pursuant to Art. 30 GDPR

Photo of Christoph Ritzer (DE)By Christoph Ritzer (DE) on Posted in Compliance and risk management
Data Protection Report - Norton Rose FulbrightThe German Data Protection Authorities (DPAs, acting as the German Data Privacy Conference, Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder) recently published templates for the records of processing activities for controllers (Art. 30 para. 1 GDPR) and processors (Art. 30 para. 2 GDPR) together with a corresponding guidance document. This guidance was expected to be released earlier … Continue reading

Hamburg DPA’s Safe Harbor Fines Spell Further Uncertainty and Risk for Global Companies

Photo of Christoph Ritzer (DE)By Christoph Ritzer (DE) on Posted in Compliance and risk management, Regulatory response
Data Protection Report - Norton Rose FulbrightOn June 6, 2016, Johannes Caspar – the Hamburg Commissioner for Data Protection – announced that the Hamburg Data Protection Authority (“DPA”) fined three companies for relying on the invalidated Safe Harbor framework to transfer data from the European Union to the companies’ operations in the United States. The DPA imposed the fines on Adobe, Punica … Continue reading

French National Assembly adopts “Digital Republic” bill

Photo of Nadège Martin (FR)Photo of Geoffroy Coulouvrat (FR)By Nadège Martin (FR) and Geoffroy Coulouvrat (FR) on Posted in Compliance and risk management
Data Protection Report - Norton Rose FulbrightOn January 26, 2016, the French National Assembly adopted the “Digital Republic” bill  — a comprehensive bill introducing various provisions to regulate the digital sphere within the French society. Access to public data, neutrality of the Internet, access to the digital sphere and communication networks are some of the main subjects covered by this bill. … Continue reading

Hamburg DPA leader addresses EU-US Privacy Shield

Photo of Christoph Ritzer (DE)By Christoph Ritzer (DE) on Posted in Regulatory response
Data Protection Report - Norton Rose FulbrightOn February 5, 2016, Article 29 Working Party member and head of the Hamburg Data Protection Authority, Prof. Dr. Johannes Caspar, spoke about the EU-US Privacy Shield. Caspar observed that, once approved, the EU-US Privacy Shield system will initially be valid regardless of the decision of the European data protection authorities (DPAs). This is because the Privacy Shield will remain in force … Continue reading

CJEU decision in Schrems: what businesses should do next

Photo of Marcus EvansPhoto of Jay Modrall (BE)By Marcus Evans and Jay Modrall (BE) on Posted in Regulatory response
Data Protection Report - Norton Rose FulbrightThis week, the Court of Justice of the European Union (“CJEU”) ruled that the EU-US Safe Harbor Decision is invalid in Case C-362/14 (the “Schrems” case).  This followed a similar opinion from its Advocate General, which also sets out the facts of the case. The decision will impact businesses that rely on the EU-US Safe Harbor … Continue reading

Day-after-Safe Harbor action plan: anticipating ECJ Schrems decision

Photo of Marcus EvansPhoto of Jay Modrall (BE)By Marcus Evans and Jay Modrall (BE) on Posted in Regulatory response
Data Protection Report - Norton Rose FulbrightAs we have written extensively, the European Court of Justice’s (ECJ’s) ruling in the Schrems case on October 6, 2015 may effectively invalidate the US-EU Safe Harbor framework. While we believe that the Advocate General’s rationale for the proposal is weak, organizations that rely on the Safe Harbor are anxious about the consequences such a … Continue reading

Breach notice becomes law in the Netherlands; 11 things to know

Photo of Floortje Nagelkerke (NL)Photo of Nikolai de KoningBy Floortje Nagelkerke (NL) and Nikolai de Koning on Posted in Regulatory response
Data Protection Report - Norton Rose FulbrightOn 26 May 2015, the Dutch Senate passed the Bill on Notification of data leaks. The law imposes an obligation on “data controllers” (the persons or entitis that determine the purpose of and means for processing personal data) in the Netherlands to notify the Dutch Data Protection Authority (CBP) and affected individuals. The law may require … Continue reading

EU’s “One Stop Shop” Proposal Focuses on “Main Establishment” as Nexus of DPA Enforcement Authority

Photo of Marcus EvansBy Marcus Evans on Posted in Regulatory response
Data Protection Report - Norton Rose FulbrightThis is Part 2 of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In this Part we examine the concept of main establishment and the position of entities without … Continue reading

UK Court of Appeal Establishes Data Protection Rights in Privacy Case

Photo of Jane Berry (UK)Photo of Ffion Flockhart (UK)Photo of Marcus EvansBy Jane Berry (UK), Ffion Flockhart (UK) and Marcus Evans on Posted in Dispute resolution and litigation
Data Protection Report - Norton Rose FulbrightA recent English Court of Appeal judgment could significantly broaden the circumstances in which data protection litigation can be brought – and damages can be awarded – under English law. Background Vidal-Hall et al v Google ([2015] EWCA Civ 311) involves claims brought by three individual users against Google. The users alleged that Google collected private … Continue reading

German draft bill to authorize privacy “class actions”

Photo of Jamie Nowak (DE)Photo of Christoph Ritzer (DE)By Jamie Nowak (DE) and Christoph Ritzer (DE) on Posted in Compliance and risk management
Data Protection Report - Norton Rose FulbrightThe German government recently released a draft bill seeking to grant authority to the country’s consumer and business associations to enforce compliance with data protection laws. Because the proposed draft bill appears to have received support from the governing parties, we believe there is a high probability of the bill being enacted in the near … Continue reading
LexBlog