Tag archives: data protection authority

First multi-million GDPR fine in Germany: €14.5 million for not having a proper data retention schedule in place

By Christoph Ritzer (DE) and Natalia Filkina (DE) on November 12, 2019 Posted in Enforcement

Data Protection Report - Norton Rose Fulbright

On October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen), the highest German GDPR fine to date. The infraction related to the over retention of personal … Continue reading

German Data Protection Authorities publishes a new GDPR model for fines

By Christoph Ritzer (DE) and Natalia Filkina (DE) on October 28, 2019 Posted in Enforcement

The German Datenschutzkonferenz (DSK), the joint body of the German data protection authorities, has just published the model which it intends to use to calculate fines pursuant to Article 83 of the GDPR.… Continue reading

Deadline extended for compulsory registration on Data Controller registry

By Ekin Inal (TR) on September 6, 2019 Posted in Compliance and risk management

Norton Rose Fulbright - Data Protection Report blog

Obligations We previously reported that Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior … Continue reading

German M&A Deals: Share Deals Remain the Only Secure Way to Transfer All Customer Data

By Christoph Ritzer (DE) on July 8, 2019 Posted in Compliance and risk management

The German data protection authorities, acting as the German data protection conference (Datenschutzkonferenz), recently published guidance on how to transfer customer data in an asset deal. The guidance runs through various scenarios. In most cases, a bulk transfer of all customer data is not permitted. Further, the guidance makes no mention of, or allowance for, … Continue reading

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

By Nadège Martin (FR) and Nilofar Moini Shabestari (FR) on July 8, 2019 Posted in Data breach, Enforcement

Following the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue reading

Privacy Shield Update: EU Member States Approve Amended Framework

By Marcus Evans (UK) on July 8, 2016 Posted in Compliance and risk management, Regulatory response

On July 8, 2016, European Member States approved the proposed EU-US Privacy Shield framework, with four Member States – Austria, Bulgaria, Croatia, and Slovenia – reportedly abstaining. Before the framework can be implemented, formal approval by the European Commission is required. Although the European Commission has yet to formally release a copy of the revised … Continue reading

Privacy Shield Framework Sees Changes, EU Vote Expected in July 2016

By Marcus Evans (UK) on June 24, 2016 Posted in Compliance and risk management, Regulatory response

The United States and the European Union reportedly have agreed on changes to the EU-US Privacy Shield. A revised agreement has been sent to EU Member States, and a vote is expected to be held early next month, in early July 2016. If approved by the EU Member States, companies will be able to subscribe … Continue reading

Details of Privacy Shield published

By Marcus Evans (UK), Jay Modrall (BE), Christoph Ritzer (DE) and Sven Jacobs (DE) on March 1, 2016 Posted in Compliance and risk management, Regulatory response

On February 29, 2016, the European Commission published the documents comprising the new EU-U.S. Privacy Shield, the adoption of which we previously covered on our blog. In the Commission’s opinion, the new framework reflects the requirements set forth by the European Court of Justice in the Schrems ruling, which invalidated the U.S.-EU Safe Harbor framework. The … Continue reading

EU-US Privacy Shield – UK ICO updates its interim position on transfers to the US

By Marcus Evans (UK) on February 12, 2016 Posted in Regulatory response

Today the UK data protection authority (the ICO) published a blog post and consolidated interim guidance on how to handle EU/US data transfers while the EU-US Privacy Shield is being scrutinised by the Article 29 Working Party.… Continue reading

German Data Protection Authorities Suspend BCR approvals, question Model Clause transfers

By Christoph Ritzer (DE) and Marcus Evans (UK) on October 26, 2015 Posted in Regulatory response

Following on from the EU Article 29 Working Party Statement of 16 October 2015, the Conference of the German Data Protection Authorities – (“DPAs”) has today issued guidance (referred to as a Position Paper) on the consequences of the CJEU decision in the Schrems case (Case C-362/14).… Continue reading

A German data protection authority questions model clauses

By Christoph Ritzer (DE) on October 15, 2015 Posted in Regulatory response

The German data protection authority from the northern state Schleswig-Holstein has released guidance in connection with the ECJ’s decision on Safe Harbor.… Continue reading

Russian data protection authority explains data localization law; says cross-border transfer still permitted

By Vera Shaftan (RU) on August 4, 2015 Posted in Regulatory response

Russia’s data protection authority, Roscomnadzor, has held a number of meetings with business associations to respond to the wave of questions that have arisen about the interpretation and application of Russia’s personal data localization law. The law, which enters into force on September 1, 2015, requires that an operator, while collecting personal data, ensures the recording, … Continue reading