data protection authority

Subscribe to data protection authority via RSS

First multi-million GDPR fine in Germany: €14.5 million for not having a proper data retention schedule in place

By Christoph Ritzer (DE) & Natalia Filkina (DE) on November 12, 2019

On October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen), the highest German GDPR fine to date. The infraction related to the over retention of personal data. For the first time, the Berlin DPA applied the new calculation method for GDPR fines issued by the German Datenschutzkonferenz recently (see our recent post).

German Data Protection Authorities publishes a new GDPR model for fines

By Christoph Ritzer (DE) & Natalia Filkina (DE) on October 28, 2019

The German Datenschutzkonferenz (DSK), the joint body of the German data protection authorities, has just published the model which it intends to use to calculate fines pursuant to Article 83 of the GDPR.

Deadline extended for compulsory registration on Data Controller registry

By Ekin Inal (TR) on September 6, 2019

Obligations

We previously reported that Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.

Online advertising targeting : a CNIL priority for 2019

By Nilofar Moini Shabestari (FR) & Nadège Martin (FR) on July 12, 2019

Often questioned about online advertising targeting by both the public and professionals, the CNIL released its action plan for 2019-2020 with a view to providing further details about the applicable advertising rules and to support stakeholders in their compliance with them.

German M&A Deals: Share Deals Remain the Only Secure Way to Transfer All Customer Data

By Christoph Ritzer (DE) on July 8, 2019

The German data protection authorities, acting as the German data protection conference (Datenschutzkonferenz), recently published guidance on how to transfer customer data in an asset deal. The guidance runs through various scenarios. In most cases, a bulk transfer of all customer data is not permitted. Further, the guidance makes no mention of, or allowance for, the transfer of marketing permissions which – as these are generally on an opt-in consent basis in Germany – means a buyer cannot rely on the seller’s marketing consents in an asset sale. Therefore, the position in Germany remains that it is highly advisable to structure M&A deals as share deals when selling the target together with customer data databases relating to individuals.

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

By Nadège Martin (FR) & Nilofar Moini Shabestari (FR) on July 8, 2019

Following the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.

Privacy Shield Update: EU Member States Approve Amended Framework

By Marcus Evans (UK) on July 8, 2016

On July 8, 2016, European Member States approved the proposed EU-US Privacy Shield framework, with four Member States – Austria, Bulgaria, Croatia, and Slovenia – reportedly abstaining. Before the framework can be implemented, formal approval by the European Commission is…

Privacy Shield Framework Sees Changes, EU Vote Expected in July 2016

By Marcus Evans (UK) on June 24, 2016

The United States and the European Union reportedly have agreed on changes to the EU-US Privacy Shield. A revised agreement has been sent to EU Member States, and a vote is expected to be held early next month, in early…

Details of Privacy Shield published

By Marcus Evans (UK), Jay Modrall (BE), Christoph Ritzer (DE) & Sven Jacobs (DE) on March 1, 2016

On February 29, 2016, the European Commission published the documents comprising the new EU-U.S. Privacy Shield, the adoption of which we previously covered on our blog. In the Commission’s opinion, the new framework reflects the requirements set forth by the European Court of Justice in the Schrems ruling, which invalidated the U.S.-EU Safe Harbor framework. The Commission’s proposed adequacy decision holds that “the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-US Privacy Shield”.

EU-US Privacy Shield – UK ICO updates its interim position on transfers to the US

By Marcus Evans (UK) on February 12, 2016

Today the UK data protection authority (the ICO) published a blog post and consolidated interim guidance on how to handle EU/US data transfers while the EU-US Privacy Shield is being scrutinised by the Article 29 Working Party.

Data Protection Report