Tag archives: data protection

First multi-million GDPR fine in Germany: €14.5 million for not having a proper data retention schedule in place

Christoph Ritzer (DE)Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Enforcement
Data Protection Report - Norton Rose FulbrightOn October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen),  the highest German GDPR fine to date. The infraction related to the over retention of personal … Continue reading

No surprises in the recent Planet49 European Court of Justice judgment

Christoph Ritzer (DE)Natalia Filkina (DE)Lara White (UK)By Christoph Ritzer (DE), Natalia Filkina (DE) and Lara White (UK) on Posted in Dispute resolution and litigation
Data Protection Report - Norton Rose FulbrightOn 1 October 2019, the European Court of Justice (ECJ) delivered its judgement on Case C – 673/17 (the “Planet49” case), which relates to the consent and transparency requirements for the use of cookies and similar technologies. The ECJ largely followed the March 2019 Opinion of Advocate General Szpunar and the judgment is generally consistent … Continue reading

Data protection and cyber risk issues in arbitration – dealing with regulation, cyber attacks and hacked evidence

Pierre Bienvenu (CA)Ben Grant (UK)By Pierre Bienvenu (CA) and Ben Grant (UK) on Posted in Cybercrime, Cybersecurity, Data breach, Dispute resolution and litigation, General
The GDPR has significantly altered the landscape of data protection. Its broad scope and potentially severe penalties have forced those who hold and process data to take note of its provisions. In certain instances, that will include many in the international arbitration community, such as arbitral institutions. In parallel, cyber attacks and instances of hacking … Continue reading

Deadline extended for compulsory registration on Data Controller registry

Ekin Inal (TR)By Ekin Inal (TR) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blogObligations We previously reported that Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior … Continue reading

Turkey’s data protection legislation on data controller registry to impact data controllers outside of Turkey

Ekin Inal (TR)By Ekin Inal (TR) on Posted in Regulatory response
Norton Rose Fulbright - Data Protection Report blogObligations Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal … Continue reading

The CNIL publishes new guidelines on cookies and other similar technologies

Nilofar Moini Shabestari (FR)Nadège Martin (FR)By Nilofar Moini Shabestari (FR) and Nadège Martin (FR) on Posted in Compliance and risk management
US Supreme Court expands digital privacy rights in Carpenter v. United StatesOn 4 July 2019, the CNIL published new guidelines on cookies and other similar technologies, repealing its 2013 cookie guidance in order to align its position with the GDPR’s new requirements on consent. These guidelines will be supplemented during the first quarter of 2020 by sectoral recommendations aimed at providing practical guidance to stakeholders on … Continue reading

Website operators joint controllers with third-party plugin providers

Lara White (UK)Natalia Filkina (DE)Shiv Daddar (UK)By Lara White (UK), Natalia Filkina (DE) and Shiv Daddar (UK) on Posted in Enforcement
Norton Rose Fulbright - Data Protection Report blogOn 29 July 2019, the European Court of Justice (ECJ) issued its judgement on Case C-40/17 (the “Fashion-ID” case). In its ruling, the ECJ held that operators of websites embedding Facebook’s “Like” button act as data controllers jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors … Continue reading

German M&A Deals: Share Deals Remain the Only Secure Way to Transfer All Customer Data

Christoph Ritzer (DE)By Christoph Ritzer (DE) on Posted in Compliance and risk management
Data Protection Report - Norton Rose FulbrightThe German data protection authorities, acting as the German data protection conference (Datenschutzkonferenz), recently published guidance on how to transfer customer data in an asset deal. The guidance runs through various scenarios. In most cases, a bulk transfer of all customer data is not permitted. Further, the guidance makes no mention of, or allowance for, … Continue reading

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

Nadège Martin (FR)Nilofar Moini Shabestari (FR)By Nadège Martin (FR) and Nilofar Moini Shabestari (FR) on Posted in Data breach, Enforcement
Data Protection Report - Norton Rose FulbrightFollowing the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue reading

ICO blog post on AI and solely automated decision-making

Lara White (UK)Marcus Evans (UK)Magdalene Lie (UK)By Lara White (UK), Marcus Evans (UK) and Magdalene Lie (UK) on Posted in Compliance and risk management
Data Protection Report - Norton Rose FulbrightThe ICO has published a blog post on the role of “meaningful” human reviews in AI systems to prevent them from being categorised as “solely automated decision-making” under Article 22 of the GDPR. That Article imposes strict conditions on making decisions with legal or similarly significant effects based on personal data where there is no … Continue reading

Parenting support club Bounty fined in ‘unprecedented’ data breach

Lara White (UK)By Lara White (UK) on Posted in Enforcement
Norton Rose Fulbright - Data Protection Report blogOn 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 … Continue reading

Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

Jeewon Kim Serrato (US)Arleen Fernandez (US)By Jeewon Kim Serrato (US) and Arleen Fernandez (US) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blogOn January 25, 2019, the California Attorney General’s Office held a public forum in Los Angeles to solicit feedback on the California Consumer Privacy Act of 2018 (“CCPA”) as it prepares to draft regulations which must be adopted on or before July 1, 2020.… Continue reading

First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads

Marcus Evans (UK)Lara White (UK)Cécile Auvieux (FR)By Marcus Evans (UK), Lara White (UK) and Cécile Auvieux (FR) on Posted in Compliance and risk management, Cybersecurity, Enforcement, Regulatory response
Norton Rose Fulbright - Data Protection Report blogOn January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC.  It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net. We focus here on four key aspects … Continue reading

Parliament fails to approve the EU Withdrawal Agreement: Data protection implications

Lara White (UK)Marcus Evans (UK)Miranda Byrne Hill (UK)By Lara White (UK), Marcus Evans (UK) and Miranda Byrne Hill (UK) on Posted in Compliance and risk management
Data Protection Report - Norton Rose FulbrightOn 25 November 2018 the UK Government and the EU agreed a draft withdrawal agreement which set out the terms of the UK’s departure from the EU and made a political declaration on the framework for their future relationship, as provided for under Article 50(2) of the Treaty on European Union (Withdrawal Agreement). The purpose … Continue reading

Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information

Andrea D'Ambra (US)Max Kellogg (US)By Andrea D'Ambra (US) and Max Kellogg (US) on Posted in Compliance and risk management, Data breach, General, Regulatory response
Data Protection Report - Norton Rose FulbrightOn November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. … Continue reading

Vicarious liability in the data breach context – bad news for UK employers?

Steven Hadwin (UK)Mya Joel (UK)Marcus Evans (UK)Catrina Smith (UK)Amanda Sanders (UK)By Steven Hadwin (UK), Mya Joel (UK), Marcus Evans (UK), Catrina Smith (UK) and Amanda Sanders (UK) on Posted in Data breach
Data Protection Report - Norton Rose FulbrightThe Court of Appeal has upheld a decision of the High Court  holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable … Continue reading
LexBlog