Europe

Global Privacy Regulations

Austria

BDO Local Resources

Ewald Kager | EmailPhone

Regulator: Österreichische Datenschutzbehörde (Austrian Data Protection Authority)

Law: GDPR, Austrian Data Protection Act / Datenschutzgesetz

Adequacy Agreement with GDPR: n/a

Measures Announced

Overview

In Austria, both the national DSG and the GDPR apply to privacy issues. The DSG complements the GDPR, tailors its provisions to the national context, and provides the legal basis for the structure and powers of the DSB. The DSB is an active authority and has issued substantial fines, including, for example, a fine of €18 million against the Austrian postal service for violating the GDPR. The DSB and the Austrian Chamber of Commerce ('WKO')[1] regularly issue guidance on privacy issues, including data subject access requests, cookies, direct marketing, and the right to be forgotten. Alongside the GDPR and the DSG, Austria also ratified the Convention for the Protection of Individuals about Automatic Processing of Personal Data ('Convention 108').

The enforcement agency is taking a stronger position on transparency as evidenced by its recent lawsuits.

Data Protection Authority Focus

Austria recently announced that None of Your Business (‘NYOB’) reported in August 2021 that the DSB issued a decision following its complaint against the credit rating agency CRIF GmbH[2]. The DSB held that CRIF’s credit assessment falls under ‘profiling’ because personal data was assessed and analyzed to predict the data subject’s future likelihood of credit default. The activities were deemed as intrusive interference with data subjects’ rights. CRIF must inform the inquiring companies that the creditworthiness score of the consumer is calculated only based on address, gender, name, and age. The court also found that CRIF cannot rely on legitimate interests, Article 6(1)(f) under the GDPR because the data subject’s interests should not be at a disadvantage in commercial transactions.

[1] Das Serviceangebot der Wirtschaftskammer, WKO

[2] BESCHWERDE GEMASS ARTIKEL, 77(1), 80(1), DSGVO, NOYB


  

Belgium

BDO Local Resources

Alain Vanmeerhaeghe | Email | Phone

Law: GDPR, Act of 30 July 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data

Regulator: Autorité de la protection des données - Gegevensbeschermingsautoriteit (APD-GBA) / Data Protection Authority (‘Belgian DPA’)

Adequacy Agreement with GDPR: n/a

Measures Announced

Overview

Belgium, like other EU countries, adopted the GDPR in 2018 and derogated from the GDPR by developing exceptions to the data subject rights for purposes of scientific or historical research, and consent for children under the age of 13 years.

The Belgian DPA has played an active role in implementing new regulations and measures to fight against COVID-19 while assuring continued protection for citizens' personal data, according to the applicable legislation. The DPA has underlined that public health is of the most significant importance and that its preservation is not incompatible with the right to privacy.

The DPA kept a close watch on the measures taken by the Belgian government and voiced concerns on several occasions. Indeed, ‘Tracking’ to protect public health touches on two key priorities of the DPA: sensitive (medical) data on the one hand and government processing of data on the other hand.

Data Protection Authority Focus

In 2020 data breaches increased by 21% versus 2019 in Belgium (1,060 breaches vs. 838 breaches), and DPA fines included €835,500, including two significant penalties in 2020[1].

In September 2020, Google received the largest fine to date from the Belgian DPA, €600,000 ($670,000)[2]. A Belgian citizen (the complainant) requested Google Belgium to remove search results linked to his name in their search engine (information related to political party and unfounded harassment complaint). Google decided not to remove any of the pages in question. The DPA ruled that Google was particularly negligent, as it had evidence that the information was outdated and irrelevant. Google Belgium appealed the decision.

This decision is historic because the fine was more than ten times higher than any previous fine imposed by the DPA, and because it ensures that the full and effective protection of citizens is maintained in cases of large international groups, such as Google.

In May 2020, Proximus received a fine of €50,000 ($57,900) for a conflict of interest of its DPO. As Head of Compliance, Risk Management & Internal audit, he played a role in both the advisory role and the decision-making process around data issues. By prohibiting this dual role, the GDPR prevents conflicts of interest.

[1] GDPR Enforcement Tracker

[2] Compliance Week, Google fined $670K for violating GDPR’s ‘right to be forgotten’, 14 July 2020


  

Bulgaria

BDO Local Resources

Silvana Dzharkova-Aleksandrova | Email | Phone

Law: GDPR, The Protection of Personal Data Act 2002 (Amended 2019)

Regulator: омисия за защита на личните данни / Personal Data Protection Commission 

Adequacy Agreement with GDPR: n/a

Measures Announced

Overview

Bulgaria revised its local National Personal Data Protection Act (‘PDPA’) in 2019, following the inception of the GDPR.  The Bulgarian Commission for Personal Data Protection (the authorized supervising body under GDPR) conducted several audits on larger companies processing personal data under its self-referral or due to signals by data subjects. Audits resulted in fines for identified violations, and the size of the penalties is proportional to the seriousness of the offenses.

Data Protection Authority Focus

The focus of the Bulgarian DP Authority, namely the Commission for Personal Data Protection (CPDP), is mainly guidance and decisions under complaints. The CPDP recently stated the legality of personal data processing by the Ministry of Interior during the COVID-19 crisis. In particular, the Statement highlights that the Ministry's collection of declarations from citizens passing through checkpoints around Bulgaria is a temporary measure and concerns a limited number of persons whose data are processed. Personal data protection legislation allows for limiting the scope of rights and freedoms of citizens (Article 23, GDPR, Regulation (EU) 2016/679) and that the Ministry's personal data processing is necessary and proportionate to guarantee public health and crime prevention.


  

Czech Republic

BDO Local Resources

Stanislav Klika | Email | Phone

Law: GDPR, Act No. 110/2019 Coll. on Personal Data Processing

Regulator(s): Office for Personal Data Protection (‘UOOU’)

Adequacy Agreement with GDPR: n/a

Measures Announced

Overview

The Act No. 110/2019 Coll. on Personal Data Processing (‘the Act’) is the primary privacy regulation in the Czech Republic that transposes the GDPR. The UOOU performs audits, publishes Standard Contractual Clauses (SCCs), investigates data breach complaints, and imposes fines. Act No. 127/2005 Coll. of 22 February 2005 on Electronic Communications and on Amendment to Certain Related Acts implements the ePrivacy Directive. The derogation from the GDPR is that the Czech law maintains the ‘opt-in’ consent obligation versus the GDPR ‘opt-out’ requirement.

On 15 September 2021 the Chamber of Deputies overruled the Senate and approved the transposition amendment to the Act No. 127/2005 on electronic communications and on Amendment of Certain Related Acts.

On 20 September OneTrust DataGuidance confirmed that the draft of the whistleblowing implementing act in the Czech Republic and the Chamber of Deputies will not proceed to a second round of discussions[1]. It is possible that this act could pass later but will not pass prior to the elections in October 2021.

Data Protection Authority Focus

The focus of the UOOU is on judgments, public comments, and providing guidance to consumers and organizations. As of March 2021, the UOOU continues to focus on the passing of the Proposed Regulation on Privacy and Electronic Communications to replace the ePrivacy Directive.

[1] OneTrust DataGuidance, Czech Republic: Legislative process on whistleblowing transposition law discontinued, September 2021


  

Denmark

BDO Local Resources

Mikkel Jon Larssen | Email | Phone

Law: GDPR, Act No. 502 of 23 May 2018 on Supplementary Provisions to the Regulation on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (‘The Danish Act on Supplementary Provisions’)

Regulator(s): Danish Data Protection Authority ('Datatilsynet'), Centre for Cybersecurity, Danish Business Authority

Adequacy Agreement with GDPR: n/a

Measures Announced

Overview

Datatilsynet is the Danish regulator that is active in publishing GDPR guidance. The Datatilsynet works with other supervisory authorities, the Centre for Cybersecurity, and the Danish Business Authority, for cybersecurity, cookies, and telecommunications security.

Denmark was the first EU country to publish Standard Contractual Clauses (‘SCCs’) for contracts between data controllers and data processors in accordance with Article 28 of the GDPR.

Data Protection Authority Focus

The Datatilsynet focuses on monitoring data processors and sub-processors and ensuring that companies have a legal basis for data processing and storage.

On 22 September 2021, Datatilsynet announced that the Tax Authority’s notification of a data security breach violated Article 24(1) of the GDPR for failing to notify the data subjects of the data breach promptly. The 2020 data breach that exposed 1.26 million Danish citizen ID numbers and resulted from a software error that lasted for five years resulted in the notification of data subjects 40 days after learning of the breach.

On 21 September 2021, Datatilsynet announced that Falck Danmark A/S’ (‘Falck’) processing of personal data about COVID-19 testing of primary school students followed the GDPR. Falck’s processing and privacy policy transparency complied with Articles 12(1) and 13 of the GDPR.

On 16 September 2021, Datatilsynet announced that it recommended a DKK 75,000 fine for Favrskov Municipality’s security failure. The police failed to implement sufficient technical security measures to safeguard data subject’s personal data confidentiality. The breach resulted from a stolen laptop, which contained a program with the personal data of approximately 100 people with reduced physical or mental capacity. More importantly, the computer was not encrypted, and the program containing the information was not equipped with proper safeguards, which violated Article 32 of the GDPR.


  

Finland

BDO Local Resources

Ossi Määttä | Email | Phone

Law: GDPR, The Data Protection Act (1050/2018)

Regulator(s): Office of the Data Protection Ombudsman

Adequacy Agreement with GDPR: n/a

Measures Announced

Overview

There have been no changes in legislation in Finland. Customer behavior has begun to change due to the decisions of the Data Protection Authorities and due to data leaks published for the public interest.

There have been a few significant data leaks in Finland. In particular, the Vastaamo Psychotherapy hack of psychotherapy records resulted in the exposure of at least 2,000 patients and their therapist records landing on the ‘dark web.’ Patients reported receiving emails with a demand for €200 in bitcoin to prevent the contents of their discussions with therapists from being made public[1].  Another report indicates that the ransomware attackers requested 40 bitcoins worth about €450,000 from the company and between €200 and €500 from patients[2].

The event woke up both private individuals and companies to think about their data protection and security level.

Privacy data auditing is even more involved in auditing assignments. Interest is also only for data protection-specific auditing tasks.

Public administration organizations that are clients of internal audits are subject to regular data protection audits.

Data Protection Authority Focus

The data protection authorities have made decisions based on the notifications made by private individuals. One prominent industry, which has been the subject of decisions, is the real estate industry. Example decisions include the location data, where an inhabitant has used electronic key, legal to register or not. Due to the incorrect installation of the around ten taxi CCTV camera software, the system recorded the image and the speech. The DPA has taken it as a precedent, and a fine of 70,000 euros was imposed for the error. The DPA's decision is in the legal process, and the DPA has also paid attention to data protection impact assessment.

[1] The Guardian, ‘Shocking’ hack of psychotherapy records in Finland affects thousands, 26 October 2020

[2] Euroactiv, Huge data breach in Finland shocks citizens and politicians alike, 26 October 2020


  

France

BDO Local Resources

Bruno Saucourt | Email | Phone

Law: GDPR, Amended Law No 78-17 of 6 January 1978 relating to computing, files, and freedom of information (French, Unofficial English)

Regulator(s): French Data Protection Authority (‘CNIL’)

Adequacy Agreement with GDPR: n/a

Measures Announced

Overview

In France, amendments and supplements to local legislation came into force after revising the national law known as ‘Loi Informatique et Liberté’ in June 2018. The decree published on May 30, 2019, is the last step in bringing federal law into compliance with the General Data Protection Regulation (GDPR) and the Police-Justice Directive, applicable to files in the criminal sphere. The national legal framework for data protection is stabilized.

The Act and its Implementing Decree, which had undergone a significant overhaul, now allow both individuals and data processing organisations to understand their rights and obligations more clearly about personal data protection.

Data Protection Authority Focus

The supervisory authority in France, the CNIL, has an important educational role by signing agreements with administrations and organizations to promote personal data protection.

Penalties imposed because of controls shall be proportionate. In early 2021 the CNIL fined an undisclosed data controller €150,000 and the data processor €75,000 for the failure to implement adequate security measures[1]. The lack of security lead to a credential-stuffing attack[2] resulting in the leak of last name, first name, email address, date of birth, loyalty card balances, and orders for approximately 40,000 individuals.

The supervisory authority provided guidance concerning:

  • COVID-19 tracking applications
  • Human resource treatments and data retention
  • Cookies
  • Chatbots
  • Video surveillance
  • List of treatments for which a Privacy Impact Assessments (‘PIA’) is required
  • List of treatments exempt of PIA

In June 2021 CNIL released PIA tool. More information is available on the CNIL website. Two versions exist, a portable version and an open-source web version.

[1] JDSUPRA®, France’s CNIL Fines Data Processor and Data Controller over Credential-Stuffing Attack, 4 February 2021

 [2] Credential-stuffing is an attack method where hackers use compromised credentials to breach a system.


  

Georgia

BDO Local Resources

Anzor Mekhrishvili | Email | Phone

Law: Law of Georgia on Personal Data Protection of 28 December 2011 No. 5669

Regulator(s): Office of the Personal Data Protection Inspector (‘PDP’)

Adequacy Agreement with GDPR: No

Measures Announced

Overview

Georgia adopted the Data Protection Act in 2011, which governs data protection and processing activities. The Law of Georgia on State Inspector Services (N3273-RS, 21.07.2018) and the Resolution of the Government of Georgia on the Approval of Regulations on the Activities of the Personal Data Protection Inspector and the Rule of Exercising the Power by him/her (n 180, 19.07.2013) provide the regulatory framework for Georgian data protection. In May 2019 the PDP announced the draft law on Personal Data Protection, which aims at bringing Georgian legislation on personal data protection into closer alignment with the GDPR.

According to the state of Georgia’s website, ‘GDPR applies only to the extent Georgia governmental entities have a physical location within Europe, monitor consumer behavior in Europe (such as through electronic data collection or analysis), or offer goods and services into Europe[1]‘. The Georgian State Inspector’s Service outlines the interest of Georgian companies and when they must comply with GDPR. The Georgia State Inspector’s Service is providing guidance to Georgian companies with relevant recommendations[2].

Data Protection Authority Focus

The focus of PDP is to provide guidance to Georgian companies around:

  • Data processing
  • Violations of data processing principles
  • The development and use of artificial intelligence
  • Failure to comply with data protection requirements
  • The use of data for direct marketing
  • Violations related to video surveillance
  • Processing special categories of data

When the draft law passes it will provide further guidance on the principles of data processing, data subjects rights, children’s consent, deceased persons data processing, monitoring, direct marketing, data controller and data processor obligations, data transfers, enforcements, and penalties for non-compliance.

[1] Georgia Technology Authority, General Data Protection Regulation (GDPR) Guidance

[2] Georgia State Inspector’s Service, 2 Years Since the Enforcement GDPR and Its Impact on Georgia. 25 May 2020


  

Germany

BDO Local Resources

Hans-Peter Toft | Email | Phone

Law: GDPR, Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG)

Regulator(s): Germany does not have one central Data Protection Authority. There are 16 Data Protection Authorities for each German state. German Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für Datenschutz und Informationsfreiheit – ‘BfDI’)

Adequacy Agreement with GDPR: n/a

Measures Announced

Overview

Together with the GDPR, the revised Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) came into force on 25 May 2018. The BDSG elaborates on the GDPR, particularly regarding the figure of Data Protection Officer, as well as employee data protection. In mid-2019, the BfDI announced an amendment to the BDSG, which applied corrections and adaptations to the current BDSG and more than 150 other national laws. While the German data protection authorities acted cautiously in 2018, they announced more robust controls for 2019. Nevertheless, the fines have been low compared to other countries in the EU. In the late summer of 2019, the German data protection authorities announced a new sanctioning model that could lead to higher fines in the future.

Data Protection Authority Focus

Until recently the highest penalty in Germany was almost 200,000 EUR (2019). However, on 24 September 2021, the Hamburg Commissioner for Data Protection and Freed of Information (‘HmbBfDI’) announced that it had fined Vattenfall Europe Sales GmbH €901,388.84 (about $1 million) for violating the data protection transparency obligations under Articles 12 and 13 of the GDPR. HmbBfDI noted that nearly 500,000 customers were not appropriately informed about the internal data comparison relating to contract inquiries for special contracts that were associated with special bonus payments.

Schrems II Decision of ECJ of the last year has still a significant shakeup for the transatlantic data transfer. In its judgment of 16 July 2020, the ECJ found the privacy shield agreement between the EU and the United States to violate European data protection law. At the time of the decision, the privacy shield agreement was the basis for a vast part of transatlantic data transfer and used by virtually all major providers such as Google, Facebook, and Microsoft. As a result of the Court´s decision, EU companies can no longer legally transfer data to the US-based Privacy Shield framework. Companies that do not comply with this ruling and continue to transfer data based on an invalidated mechanism (e.g., Privacy Shield) risk a penalty of €20 million or 4% of global turnover.

The Court of Justice of the European Union (CJEU) left the only basis for US transfers to conclude standard contract clauses set up by the European Commission. The EJC now requires additional technical and organizational safeguards on top of the standard contractual clauses. At present, the local Data Protection Authorities have begun to investigate whether local businesses have implemented these new requirements. The fines issued by German DPAs mainly concern data breaches and the criteria to delete personal data in time.


  

Guernsey

Measures Announced

General

Guernsey data privacy legislation is in line with EU GDPR and Adequacy has been agreed. Given that the major industry of Guernsey is financial services, the local legislation has some additional exemptions in place, for example in regard to Trusts and how they are treated.

Recent Updates

  • Guernsey’s Office of the Data Protection Authority (ODPA) – provided guidance relative to Protecting Personal Data During Extraordinary Circumstances: The ODPA advises the public that the object of data protection legislation is to protect people’s rights in relation to how their data is treated.  All organizations, that handle personal data of their staff/clients/suppliers/citizens are required to protect personal data. Doing this well enables trust and good relationships to be maintained, and prevents people being harmed by misuse of their data.
  • All local organizations need to consider the fact that remote working may pose an increased risk to personal data. It is possible to take positive and effective steps to mitigate this risk by considering these common-sense steps:
    • Make sure staff are aware of, and able to implement, existing privacy policies surrounding remote-working. 
    • Depending on what staff are doing with personal data while working remotely, consider whether it may be helpful (or legally required) for organization to perform a Data Protection Impact Assessment. 
    • If a potentially high-risk processing activity involving personal data is needed to be performed that may needed to be performed remotely, seek advice from your Data Protection Officer (if you have one), or visit odpa.gg/advice-guidance. 
    • Ensure staff only use secure network connections, and that all devices have appropriate and up-to-date anti-virus software and other security measures. 
    • Take extra care when transporting any paperwork or devices that may contain personal data: where appropriate use additional security measures such as two-factor authentication for devices or use physical locks for storing paperwork. 
    • Be extra vigilant to social engineering (e.g. criminals impersonating your staff/suppliers/clients) in all its forms, as criminals are actively trying to take advantage of the current disruption. 
    • Think about the accountability principle: is the organization using personal data in a new (or different) way as a result of the current public health situation? If so, document the decision-making process that led to this and update any relevant policies. 

Additionally, the following guidance is available regarding working from home: 

  • All organizations need to be aware (and need to ensure that their staff are aware) that remote working may pose an increased risk to personal data. Many people are now working in a home where at least one other person is now also working from home, potentially sharing space and equipment (e.g. the one printer in the house), and possibly with children around. They will be working on a home computer, laptop or tablet (or a combination of all three), over their home network. They do not have all the resources, systems and equipment they had in the office which were set up to ensure data was protected. 
  • Some of the risks might be minimal, in that the lockdown rules in most places mean that only members of the household should be entering the home, except in emergency situations.   
  • Data security - The data protection principle perhaps most at risk of being overlooked is the requirement for data controllers to process personal data in a manner that appropriately ensures its security. This includes protecting it against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. 
  • The following ‘top tips’ and practical guidance for organizations and individuals help minimize the risks and to ensure data protection obligations continue to be met. This is based on a combination of analysis of the legal requirements, the experience of adjusting to new ways of working, and the guidance issued by the data protection regulators in Guernsey and Jersey (see below for details).  e.g. risks posed by cybersecurity and fraud where criminals are more likely to take advantage of people working away from their usual environment and to play on concerns over the pandemic. 
    • Review and update the organization's data protection policy and working from home policy 
    • Existing policies are likely to cover occasional working from home, rather than the whole of the organization working from home for an extended period. Ensure staff are aware of policies and offer training where appropriate (by telephone, through emails and/or presentations given through video conferencing facilities). If you are sharing your screen using these tools, ensure that confidential or personal information is not also shared accidentally. 
    • Circulate guidance to staff on working from home and the associated risks to data security 
    • It may be helpful to circulate the working from home policy as an extract if it forms part of a broader document (such as a staff handbook or a general policies and procedures manual), so that staff can access and review it quickly. Consider circulating it by email and making it available in a prominent place on your organization's intranet or document management system (if applicable). It may also be helpful to provide a shorter list of 'dos and don'ts' or a visual guide to give staff something to refer to on a regular basis. 
    • Consider performing a Data Protection Impact Assessment ("DPIA") 
    • This may be a legal requirement (e.g. if as a result of remote working, you will be using personal data for a purpose for which it was not previously used or using new technology that might be perceived as being privacy intrusive, such as facial recognition). Even if performing a DPIA is not a legal requirement, it may be helpful in assessing where the risks might be. If you are introducing new systems or products in response to working from home, these should be adequately secured and have DPIAs performed against them. 
    • Ensure staff only use secure network and WiFi connections 
    • Ensure that your staff are using a WiFi network with a strong password and the best encryption level available to them. Be prepared to provide advice and support. 
    • Ensure all devices have appropriate and up to date anti-virus software and security software 
    • Security tools such as privacy tools, add-ons for browsers etc. need to be up to date. Use two-factor authentication and encryption tools where possible. Many capable anti-virus products are now available for home users at no cost. 
    • Encourage staff to operate in a 'paperless' environment as far as possible and adapt processes and procedures to minimize the need for paper documents to be generated 
    • Look for new ways to deal with paper-heavy administrative processes. Avoid creating multiple copies of documents (by printing and scanning) wherever possible. 
    • Invest in new technology and software to improve data protection and minimize risks 
    • Consider supplying staff with an additional computer monitor to reduce the need to print documents. Use a document management system rather than paper-filing. Use document signing software where possible to facilitate paperless transactions click here and here for our briefings on closing transactions electronically in Guernsey and Jersey respectively, which cover the rules on electronic signatures in each jurisdiction). 
    • Ensure adequate support in case of problems 
    • Provide staff with guidance on how to react where problems arise, or if a potential breach occurs, and provide details of who to call and emergency procedures. These procedures should be as straightforward as possible and tested before a real incident occurs. 
    • Review the organization's data protection policy and working from home policy, and follow instructions and guidance from managers, IT department and (if applicable) data protection officer.  These will be tailored to your organization and the way in which it processes personal data. 
    • Think carefully about taking physical files and documents containing personal data home from the office, and printing documents 
    • Only take or print what you need. Do not leave documents in an unlocked car. Be extra vigilant if transporting documents by bus or taxi (don't leave them behind!). Make sure there is somewhere safe to store documents at home (e.g. a locked cupboard or room). 
    • Allocate a defined area or workspace and ensure it is secure.  This could be a study or spare bedroom if there is enough space, or even a desk or table in a living room, kitchen or conservatory. Set some 'house rules' that this is your space and no one else in the household is to touch, move or look at anything (papers, laptop, folders etc.) in or on your space. Lock devices when not in use. Remember that if an unauthorized person can access personal data in your paperwork or on your computer, this is a data breach. 
    • Ensure you only use secure network and WiFi connections and that it has a strong password and is using the best encryption level available to individuals. Ensure home router has the latest software updated installed. 
    • Turn off smart speaker devices whilst on work calls 
    • There is a risk that voice commands for these devices may be accidentally activated, causing their microphones to pick up your conversation (including any personal data and other confidential information). 
    • Do not leave documents on the home printer 
    • Collect it from the printer as soon as you have printed it. It is easy to forget it is there and for it to get mixed up in other paperwork. 
    • Tidy up workspace at the end of each day 
    • Put laptop or tablet and any paperwork in a secure location in your home. 
    • Do not put any documents containing personal data or confidential information in your household rubbish bin or recycling 
    • Discuss with your organization how documents should be destroyed, e.g. 'shredding box' which can be professionally shredded by arrangement with organization. 
    • Be extra vigilant to social engineering 
    • Criminals are actively trying to take advantage of the current disruption by impersonating organizations and their staff, suppliers and clients. If you have any doubts about who is contacting you, speak to your manager or follow the instructions in your organization's policies and procedures. Do not risk inadvertently sharing any data with a fraudster. 
    • Do not open or reply to spam or phishing emails 
    • Criminals are using concerns and uncertainty over the spread of coronavirus as bait to trick you into sharing information or giving money. Do not open emails or links sent to you containing the words "coronavirus" or "Covid-19" in the title or domain name unless you know the sender. 
    • Ask questions and report any problems or potential breaches 
    • Speak to your manager, IT department or data protection officer if you have any questions or concerns about protecting data in your home. Check your organization's policies and procedures for how to report any issues.


  

Hungary

BDO Local Resources

Simon Emese

Measures Announced

General

Since the GDPR took effect on 25 May 2018, Hungarian data protection regulations have been greatly modified to bring them in line with the requirements of EU law. The modifications were adopted, with a significant delay, in April 2019.

The modifications affected many areas, including employment law, regulations on personal and property protection, commercial law, and rules pertaining to direct marketing. Although the Hungarian data protection authority has launched several thousand disciplinary procedures under the GDPR, it has adopted resolutions in approximately 30 cases; and only some of these involved the imposition of a fine. The highest fine so far amounted to HUF 30 million (approximately 95 million EUR). This was imposed due to the unlawful access control practices of a major music festival, where the data controller processed data without proper legal basis (in violation of the principle of purpose limitation) and without giving appropriate information to the data subjects. The next highest fine was HUF 11 million (approximately 35 million EUR). The rest of the fines have been much lower, ranging from approximately 300 euros to a few thousand euros.

Fines have typically been imposed in connection with CCTV monitoring, for not allowing data subjects to exercise their rights (e.g. right to erasure and access) properly, for failing to report personal data breaches, for violating the principle of data minimization, and for failing to inform data subjects adequately. In Hungary, large and well-known companies are generally doing their best to comply with the GDPR, but a number of smaller companies have only started to bring their practices in line with the regulations with a significant delay, or not at all.

Recent Updates

Hungary is halting some GDPR rights amid COVID-19:

  • Under the new measures, citizens will see a pause on their right to data access and erasure, while any legal actions pertaining to alleged GDPR violations will also be delayed. 

Additionally, the Hungarian government is suspending EU data protection rights:

  • These Include the suspension of the rights to access and erasure of personal information, and those who lodge a complaint or exercise their right to a judicial remedy will also have to wait for the proceedings to start until after the government proclaims an end to the state of danger. 

The decree also relaxes the obligation of authorities to notify individuals when collecting personal data, when certain authorities act with the purpose of “coronavirus case prevention, recognition, exploration, as well as prevention of further spreading.”


  

Ireland

BDO Local Resources

David McCormick | Email | Phone

Law: GDPR, Data Protection Act 2018

Regulator(s): Data Protection Commission (‘DPC’)

Adequacy Agreement with GDPR: n/a

Measures Announced

Overview

There have been no significant changes to legislation. However, new guidance in the use of cookies and tracking technologies was published. The Data Protection Commission ‘DPC’ conducted an extensive public awareness campaign signaling its intention to begin follow-up enforcement action during Q4 of 2020. Enforcement Notices were served on seven organisations for non-compliance in December 2020.

The Irish Data Protection Commission (DPC) is the national supervisory authority tasked with monitoring the application of the GDPR in Ireland and is also the lead authority for regulating big tech companies based in Ireland but operating across the European Union. 

Data Protection Authority Focus

In 2020 the DPC issued its first fine in a cross-border case and was the first supervisory authority in the European Union to use the GDPR dispute resolution process. In December 2020, the DPC issued a decision to Twitter regarding the notification and documentation of a personal data breach (Articles 33(1) and 33(5) GDPR).  This decision provided a critical analysis of the data breach notification and documentation requirements imposed on organisations by Article 33 GDPR, which requires the notification of personal data breaches within 72 hours.  The DPC found that Twitter delayed its reporting and failed to document the personal data breach adequately.  Twitter had argued that the delay in notification was due to an internal delay in the breach notification to its own Global Data Protection Officer.  The DPC disagreed, pointing out that a failure of internal processes does not justify a delay in reporting.

As part of the GDPR dispute resolution process (Article 65), the draft decision submitted to other EU supervisory authorities was the first draft decision in a 'big tech' case. It was the firm all EU Supervisory Authorities were consulted. The European Data Protection Board (‘EDPB’) adopted the DPC's decision and issued a final decision to Twitter in December 2020. The decision imposed an administrative fine on Twitter.

The DPC has also provided a draft decision to its EU counterparts about whether WhatsApp, owned by Facebook, has discharged its GDPR transparency obligations regarding the provision of information and the transparency of that information to users and non-users of WhatsApp’s services.  A final decision is expected near the end of 2021.

Despite the extent and complexity of its work regulating large tech businesses, some have criticized the DPC for the slow pace of progress. The European Parliament's EU Civil Liberties Committee has expressed concerns that the DPC, as the lead supervisory authority in the EU, fails to regulate the big tech companies headquartered in Dublin adequately. In its defense, the DPC has highlighted the apparent complexity and significant resources necessary for each inquiry underway and pointed to the EU's consultation process as a factor slowing the finalization of DPC decisions.


  

Italy

BDO Local Resources

Stefano Minini | Email | Phone

Luigi Sasso | Email | Phone

Law: GDPR, Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to General Data Protection Regulation (Regulation (EU) 2016/679) ('the Code'), Legislative decree n. 196/03 integrating GDPR provisions

Regulator(s): Italian Data Protection Authority ('Garante')

Adequacy Agreement with GDPR: n/a

Measures Announced

Overview

At the end of 2018, Italy amended the Personal Data Protection Code to adapt to the GDPR.

As far as the business environment in Italy is concerned: 2021 is mainly focused on fine-tuning privacy compliance frameworks at the corporate level and deploying them to sister companies abroad.

In September 2021, the Garante adopted body cameras by two law enforcement agencies (i.e., state police, national military police). Use limits were imposed, especially concerning facial recognition and the implementation of security measures. The State Police and National Military Police conducted Data Protection Impact Assessments (‘DPIAs’). They agreed to limit the recording time, disallow unique facial recognition identification, and limit activation to document situations of concrete and ‘real’ danger for the public or criminal offences.

Following other prominent Data Protection Authorities (e.g., France CNIL, Spain AEPD, Denmark Datatilsynet) and the European Data Protection Board (‘EDPB’) in July 2021, the Garante launched an informational page on cookies use to protect users’ personal data when browsing online. The Garante identified a six-month deadline for Italian companies to comply with the new guidance[1].

Data Protec1tion Authority Focus

The Garante focuses on technology, telecommunications, multi-utility, and sanitary industries in terms of control activities. Significant sanctions of more than €20 million have been applied mainly for undue telemarketing activities in the past months.

In September 2021, Garante fined the Region of Lombardy €200,000 for publishing personal data of more than 100,000 students on the institution’s website[2]. The students requested state scholarships and economic subsidies to purchase of textbooks, technological equipment, and teaching tools. The Garante found that the data published lacked a legal basis and violated Article 6 of the GDPR and Article 5(1)(a) and (c) for publishing data revealing economic hardship.

In September 2021, the Garante fined the Municipality of Rome €800,000 for several privacy violations about to parking meters located in Rome[3]. The municipality contracted a service to Atac Spa to manage the parking lots and implement technology to offer new services and introduce new payment methods. The Garante found that the municipality (the data controller) and Atac Spa (data processor) violated Articles 5(1)(a), 12, 13, and 28.

In September 2021, the Garante announced that it asked the Irish DPC to investigate Facebook regarding the recent announcement of smart glasses before marketing the glasses to the Italian market. The Garante requested inquiries include legal basis, data protection, anonymization, and voice assistant connected to the glasses. The Irish DPC and the Garante published a joint statement calling for Facebook Ireland to confirm their newly released product, Facebook View, properly informs individuals when recorded[4].

[1] GPDP, Garante per la Protezione Dei Dati Personali, Linee guida cookie e altri strumenti di tracciamento - 10 giugno 2021 [9677876], 10 July 2021

[2] GDPRhub, Garante per la protezione dei dati personali (Italy) - 9697724

[3] P365 Blog, BY THE ITALIAN DATA PROTECTION AUTHORITY: Roma Capitale, parking are not protected by drivers. The Italian DPA sanctions the Municipality and Atac, 09 October 2021

[4] IAPP.org, Irish and Italian DPAs on Facebook smart glasses privacy issues, 23 September 2021


  

Jersey

BDO Local Resources

Damon Greber | Email | Phone

Law: Data Protection (Jersey) Law 2018 (‘DPLJ’)

Regulator(s): Jersey Office of the Information Commissioner (JOIC)

Adequacy Agreement with GDPR: yes

Measures Announced

Overview

There have been no significant changes to legislation in the last 12 months. There has been a change in the Information Commissioner who leads the Jersey Office of the Information Commissioner (‘JOIC’).

Within businesses, there has been a maturing of data protection with many programs moving into business as usual and privacy governance tools being invested in to remove the use of excel and other manual registers.

Generally, the Data Protection (Jersey) Law is based on six principles of good information handling. The JOIC issued guidance on various data protection issues.

  • Data Protection by Design and Default
  • Data Protection Impact Assessments
  • Data subjects’ rights

The JOIC signed a memorandum of understanding with the Guernsey Office of the Data Protection Authority (‘ODPA’) to enhance the exchange of information and cooperation between the JOIC and the ODPA.

Data Protection Authority Focus

JOIC increased the amount of guidance it is issuing and has naturally focused on protecting health data by businesses during the COVID-19 pandemic.

In June 2021 the JOIC announced that they plan to continue ‘data protection audits to raise awareness of the benefits to business of good data protection and improve respect for personal information[1]‘.

An announcement was made in April 2021 that Jersey firms may disclose personal data to the United States SEC in appropriate circumstances.

Additionally, the Jersey Office of the Information Commissioner (JOIC) is continuing its program of data protection audits to raise awareness of the benefits to business of good data protection, improve respect for personal information and ensure organisations across Jersey are compliant with the Data Protection (Jersey) Law 2018.

The program, which began in November 2020, formed part of the JOIC’s Regulatory Action and Enforcement Policy. The program aims to:

Assist companies in discovering the strengths and weaknesses in their data protection management programmes.

Identify security gaps to decrease the risk of personal data breaches and act like a dose of preventative data protection healthcare.

[1] JOIC, JOIC Data Protection Audit Programme enters Phase Two, 01 June 2021


  

Latvia 

BDO Local Resources

Lasma Kramina | Email | Phone

Law: GDPR, Personal Data Processing Law of 21 June 2018 ('the Law')

Regulator(s): Data State Inspectorate ('DVI')

Adequacy Agreement with GDPR: n/a

Measures Announced

Overview

The last 12 months have unfortunately passed in the shadow of the COVID-19 pandemic. The coronavirus remains the focus of personal data protection issues, especially in labor law, education, and medicine.

Most employees work remotely, which means that their homes have become a ‘workplace,’ which poses a more significant risk of the breach of their privacy. Most employees work remotely, which means that their homes have become a ‘workplace,’ which poses a more significant risk of the breach of their privacy. The Data State Inspectorate questioned organizations around the legality of employers requiring employees to keep the computer video on during work hours. Health-related data processing was another point of contention in Latvia as employers requested COVID-19 testing results, vaccination status, and the employee's view towards receiving the vaccination.

Similar issues have been highlighted in the field of education, as students also learn remotely. In providing the assessment, The Data State Inspectorate (‘DVI’) considers the interaction between the teacher and student and the students themselves as a critical element in the educational process.

The Data State Inspectorate actively performs the advisory function by providing remote consultations and publishing explanations on the appropriate application of binding regulatory enactments during the pandemic.

Data Protection Authority Focus

Latvia is currently working to increase privacy in the digital environment while promoting the balance between personal data protection rights and the introduction of innovative technologies in the business, including the use of artificial intelligence.

OECD recommendations and the capacity of the DVI are taken into consideration as the DVI improves consumer protection.

The Data State Inspectorate has also applied for membership in the Global Privacy Network to facilitate cooperation with European Union countries and third countries.


  

Malta

BDO Local Resources

Ivan Spiteri | Email | Phone

Law: GDPR, The Data Protection Act (Act XX 2018) ('the Act')

Regulator(s): Office of the Information and Data Protection Commissioner ('IDPC')

Adequacy Agreement with GDPR: n/a

Measures Announced

Overview

The Government of Malta appointed Mr. Ian Deguara as the new Information and Data Protection Commissioner for five years, which went into effect on 21 December 2020. Mr. Ian Deguara was one of the first employees to join the Office of the Information and Data Protection Commissioner in December 2002 after completing his studies at the University of Malta, where he obtained a degree in computing and management.

In February 2020, Malta’s Information and Data Protection Commissioner (IDPC) Office embarked on an awareness campaign designed to increase public awareness on the data protection rights deriving from the General Data Protection Regulation. The IDPC’s objective is to instill a culture where citizens of different age groups understand the importance of safeguarding their personal data and being well-informed of exercising their rights under the GDPR. Various media channels published a series of publicity materials.

Data Protection Authority Focus

Year-to-date in 2021, the IDPC issued five complaints, two data breach notification violations and three data protection complaints[1]. The recurring theme surrounds the infringement of GDPR Articles 5, 6, and 32.

In 2020, the IDPC issued €64,500 in Administrative fines, as well as 24 reprimands[2].

Like other Data Protection Authorities, in August 2021, the IDPC published guidance on cookie consent requirements.

In May 2021, the Malta Financial Services (‘MFSA’) and the Malta Police Force signed a Memorandum of Understanding to enhance collaborative efforts to fight financial crimes.

[1] IDPC, Decisions issued by the Information and Data Protection Commissioner, 2021

[2] Ibid.


  

Netherlands 

BDO Local Resources

Menno Weij | Email | Phone

Law: GDPR, Act Implementing the GDPR (Dutch, Unofficial English)

Regulator: Dutch Data Protection Authority (‘AP’)

Adequacy Agreement with GDPR: n/a

Measures Announced

Overview

There have not been significant changes in legislation (as the GDPR continues to apply). However, new case law sheds light on subjects such as processing for legitimate interests pursued by the controller.

Dutch data subjects are increasingly aware of their rights under the GDPR. The Dutch data protection authority received approximately 25,590 complaints in 2020[1]. Many of the complaints focused on COVID-19-related privacy issues, and the AP has still yet to address nearly 9,800 of last year's complaints[2].

The AP plans to grow, so we expect to see more fines and more rapid responses to complaints in the future.

We furthermore expect to see new developments regarding (regulation of) online platforms, connected care, artificial intelligence (‘AI’), and similar subjects.

Data Protection Authority Focus

The Dutch data protection authority (Autoriteit Persoonsgegevens, AP) has expressed its concerns about the continuous change of society due to digitization and technological innovation, leading to more data that are also more diverse, specific, and personal. In this digital society, personal data protection is essential. The AP is afraid of an increase in ‘digital injustice’, for example, illegal data trading, inadequate security, discrimination, and undermining of the democratic legal order.

The AP has selected three focus areas:

  • Data brokering (supervision on sale of data, internet of things, profiling, behavioural advertising),
  • Digital government (data security, smart cities, partnerships, elections, and microtargeting), and
  • AI and algorithms.

The AP will focus on designing a system for the supervision of AI and algorithms in which personal data are used and will focus, among other things, on transparency and the proper explanation of automated decision-making.

Privacy by design will become increasingly essential and perform DPIA’s and meet other GDPR requirements that may not yet have had proper attention so far.

[1] IAPP, Dutch DPA summarizes 2020 work, 12 March 2021

[2] Ibid.


  

Poland

BDO Local Resources

Tymoteusz Murzyn | Email

Law: GDPR, Act of 10 May 2018 on the Protection of Personal Data ('the Act')

Regulator: Polish Data Protection Authority ('UODO')

Adequacy Agreement with GDPR: n/a

Measures Announced

Overview

Over the last 12 months, there have not been any significant changes to legislation or local data protection authority behavior. The new Polish Act on Personal Data Protection, adopted in May 2018, replaced the 1977 Act. The 2018 Act (adopted February 2019) contains more extensive and complex data protection regulations binding at the EU level. Also, in February 2019, the act of December 2018 implementing ‘Police’ Directive no. 2016/680 came into force.

Data Protection Authority Focus

Polish President of the Personal Data Protection Office regularly notifies on its activity via its official website. Additionally, violations of data protection laws may be subject to action being taken by the President of the Office of Competition and Consumer Protection, or the President of the Office of Electronic Communications.

The UODO continues to fine private organizations and public institutions for GDPR and local data protection regulation violations. Recent fines include privacy violations associated with health data management (e.g., body temperature measurement, vaccination data gathering). Interpretation of law presented by the Polish data protection authority regarding such socially sound issues sometimes appeared to be quite controversial and was often widely commented by experts.

In August 2021, the UODO fined District Court in Zgierz PLN 10,000 (approximately €2,180 or $2,530) for failing to implement approach safeguards (i.e., technical, organizational). Four hundred impacted data subjects, and the decision highlights a violation of Articles 5(1)(f), 24(1), 25(1), 32(1)(b), 32(1)(d), and 32(2).

In August 2021, the UODO announced that the Provincial Administrative Court in Warsaw dismissed the appeal brought by the Warsaw University of Life Sciences (‘SGGW’) against the UODO’s decision to fine the SGGW for its failure to implement sufficient technical and organizational measures.

In July 2021, the UODO fined the Lex Nostra Foundation for the Promotion of Medication and Legal Education PLN 13,644 (approximately €3,000 or $3,481) for failing to notify the UODO and data subjects without undue delay about a data breach that occurred in 2020. The lack of notification was a violation of GDPR Article 34(2).

In June 2021, the UODO fined Funeda Spółka Sp. z o.o. PLN 22,000 (approximately €4,843 or $5,620) for lack of cooperation with the Supervisory Authority. The infraction was a direct violation of GDPR Articles 31, 58(1)(a), and 58(1)(c).


  

Portugal

BDO Local Resources

Luís Crispim | Email | Phone

Law: GDPR, Law No. 58/2019, which Ensures the Implementation in the National Legal Order of the GDPR on the Protection of Individuals with Regards the Processing of Personal Data and the Free Movement of Such Data (‘Law No. 58/2019’)

Regulator: Portuguese Data Protection Authority ('CNPD')

Adequacy Agreement with GDPR: n/a

Measures Announced

Overview

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) began to apply on 25 May 2018. However, Portugal failed to implement in a timely fashion the Data Protection Law Enforcement Directive (Directive (EU) 2016/680) (LED). The European Commission urged Portugal to implement the LED by the end of March 2019. Finally, the Portuguese legislation to ensure the application of the GDPR in the National legal context was published and came into force on 8 August 2019.

The critical aspects of this Law are the:

  • age of natural persons to consent (fixed in 13 years),
  • rights of deceased persons,
  • determination of fine amounts (depending on the size of the companies), and
  • legal obligation of confidentiality of confidentiality for all people that deal with personal data concerning health.

The Portuguese data protection authorities still are not performing fieldwork. They are acting only in case of complaints. Despite its current legal limitations, in October 2018, the Portuguese Data Protection Authority (CNPD) applied a fine of 400,000 EUR on the Hospital of Barreiro and Montijo (CHBM) under the GDPR[1]. Recently, the most significant Portuguese consumer protection association (DECO) was fined 107,000 EUR for sending unsolicited e-mails. The new government and budget are expected to drive more significant CNPD dynamics.

There is still much to be done in implementing the GDPR in Portuguese companies. There are some grey areas concerning the processing of health data by insurance companies which the Law or supervisory authority should clarify. At the same time, data subjects in Portugal are becoming more aware of data protection issues, and the rights of data subjects – especially the right of access – are being exercised more often. However, GDPR matters have not yet been brought in great numbers before the Portuguese courts. Due to the state of emergency caused by the spread of COVID-19, on 16 March 2020 the Portuguese Data Protection Authority (the ‘CNPD’) issued Resolution 2020/170 which interrupted, with immediate effect, the deadlines to respond to its draft decisions in the context of administrative proceedings.

Data Protection Authority Focus

In the context of the widespread practice of remote working owing to the lockdown and isolation measures imposed to address the pandemic caused by COVID-19, the CNPD (Portuguese Data protection Authority) issued, on April 17, ‘Guidelines on monitoring remote working[2]‘.

Several complaints from citizens diagnosed with COVID-19 had their personal information disclosed by local authorities on their websites. The CNPD issued:

  • Guidelines on disclosure of information relating to the COVID-19 diagnosis, and
  • Guidelines on the collection of workers' health data, including the worker's body temperature.

[1] IAPP, First GDPR fine in Portugal issued against hospital for three violations, 03 June 2019

[2] Uria Menendez Proenca de Carvalho, Guide to key legal matters relating to the COVID-19 outbreak, 03 June 2020


  

Romania

BDO Local Resources

Raluca Andrei | Email | Phone

Law: GDPR, Law No. 190/2018 Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) ('the Law')

Regulator: National Supervisory Authority for Personal Data Processing ('ANSPDCP')

Adequacy Agreement with GDPR: n/a

Measures Announced

General

In 2018, Romania implemented the GDPR, and it is enforced by the ANSPDCP. The ANSPDCP maintains a resource center for organizations to use as a reference.

There has been an increasing number of complaints and notifications raised with the ANSPDCP (in the first four months of 2021, 1733 complaints and data breach incidents have been notified with the data protection authority, out of which 288 investigations have been opened), proof that the data subjects become more aware of their rights and freedoms while the legal entities try to mitigate the dangers to the rights and freedoms of the data subjects following the law.

According to the GDPR Enforcement Tracker[1], fines and penalties by year include:

YearCount of FinesPenalties (EUR/USD)
2021 (through August)
15€184,650
202026€33,900
201921€484,500
201800


Data Protection Authority Focus

The data protection authority's focus in terms of investigations relates to financial banks, telecommunication companies. However, the ANSPDCP has also sanctioned the entry into force of the GDPR, House Tenants' & Flat Owners' Associations, public authorities, and healthcare clinics.

The most recent fines applied by the data protection authority (in May - June 2021) concerned the fact that:

  • The controllers did not provide the authority with the requested information for the performance of the investigation (two fines, EUR 2,000 each).
  • A telecommunication company has wrongfully circulated the invoices of some clients to the e-mail addresses of third parties, which led to unlawful processing of personal data (name, surname, telephone number, client code, address) (one fine, EUR 1,000).
  • The House Tenants' & Flat Owners' Association disclosed on a digital board payment due with the full name and surname of the members in the association; also, the plaintiff claimed that the association disclosed a defamatory note with his name and surname (one fine, EUR 500).
  • A telecommunication company has sent marketing communications to a client who has previously revoked his consent for marketing processing activities (lack of legal basis) (one fine, EUR 2,000).

[1] GDPR Enforcement Tracker, 2021


  

Russia

BDO Local Resources

Ivan Novikov | Email | Phone

Law: Basic legislative act is the Federal Law No 152-FZ ‘On personal data’ of 27 July 2006 (as amended) (Russian, Unofficial English)

Regulator: The Federal Service for Supervision of Communications, Information Technology, and Mass Media ('Roskomnadzor')

Adequacy Agreement with GDPR: no

Measures Announced

Overview

Data protection in Russia is governed by several laws:

  • Law on Personal Data (2006), which follows a similar approach to the GDPR
  • Federal Law of 27 July 2006 No. 149-FZ on Information, Information Technologies, and Protection of Information (‘the Law on Information’)
  • Federal Law of 21 July 2014 No. 242-FZ (‘Data Localization Law’)

There are also potential laws around genetic data, financial assets, and digital profiles.

The most significant changes were introduced by Amendment Law No. 519-FZ of 30 December 2020. The amendments introduce a special status of personal data, namely, personal data, distribution of which is allowed by the subject of personal data.

The amendments mean that an unlimited number of persons may have access to this data if the subject of personal data provided consent for processing the personal data allowing its public distribution. The consent for processing the personal data allowed for public distribution shall be documented separately from other consents for processing. The operator must provide the subject of personal data with an opportunity to determine in the consent a list of personal data belonging to each category of personal data. The issue of personal data has the right to claim cessation of transfer of their personal data, which was previously allowed for public distribution. Claims can be raised against any person processing such personal data in violation of the law.

Data Protection Authority Focus

Basic focus of the regulator is explanation of some provisions of personal data legislation, field audits of Russian companies in the sphere of personal data and imposing of fines for significant violations of law.

In September 2021, the State Parliament (‘Duma’) that Bill No. 1256973 ratified legal assistance between the Member States of the Commonwealth of Independent States (‘CIS’), which was signed in December 2020.

In September 2021, the office of the Moscow Region of the Federal Antimonopoly Service (‘Moscow FAS’) announced that Clinique Cosmetics, LLC (Estée Lauder Companies, Inc. subsidiary) breached Part 1 Article 18 of Federal Law No. 38-FZ of 13 March 2006. Clinique Cosmetics distributed advertising messages to an individual without their explicit consent, did not respond to requests to stop advertising mailing, and was fined RUB 500,000 (approx. € 5,898 or $6,839).


  

Slovakia

BDO Local Resources

Marek Priesol | Email

Law: GDPR, Act No. 18/2018 Coll. on Protection of Personal Data and on Amendments to certain Acts ('the Act') (Slovak, Unofficial English)

Regulator: Office for Personal Data Protection of the Slovak Republic ('ÚOOÚ')

Adequacy Agreement with GDPR: n/a

Measures Announced

Overview

In the past 12 months, there have been minor changes at the national level, except in one case - the addition of legal conditions for the processing of personal data on the health status of patients in the national register, for which the corresponding legislative basis for processing was not, until recently, adopted.

In this regard, the Slovak Office for Personal Data Protection dealt in October 2020 with the legislative conditions for the processing of personal data regarding health status based on secondary legislation (Decree of the Regional Public Health Office) related to the COVID-19 – especially processing of the information on the negative result of COVID-19 test/Certificate from nationwide testing. The Office found a violation of the principles of personal data processing, as it stated in its opinion that decrees adopted since the Slovak Act on Protection and Promotion of Public Health could not be considered an adequate legal basis for personal data processing.

There was also quite a serious incident in connection with the processing of personal data relating to health. In September 2020, the Slovak security IT company Nethemba drew attention to a critical vulnerability in the Moje eZdravie (‘My eHealth’) application, which is operated by the National Center for Health Information (‘NCZI’)[1]. NCZI obtained personal information about more than 130,000 patients that tested for COVID -19 in Slovakia. According to that IT company, the error made it possible to obtain information about more than 390,000 patients in the database. NCZI later informed the ÚOOÚ that the application lacked appropriate security protections required for public administration information systems. The case is pending currently.

Data Protection Authority Focus

The Slovak Office for Personal Data Protection is focused on the guidance and informing the public in the news, especially in EU legislation, and the controlling activities.

According to official data from the Office, in 2020, the Office registered 65 new inspections on the processing of personal data[2]. The ÚOOÚ inspected ten potential data processing violations while fifty-five inspections (at various procedural stages) carried over to 2021.

The subject of 39 inspections completed in the observed period was in 10 cases processing activities of state bodies and organizations, in 4 cases processing activities of local self-government bodies (cities and municipalities), in 20 cases processing activities of other legal entities (including two banks, one insurance company and one health care provider) and processing activities of a sports association. In 2020, checks on the processing of personal data were also performed on four natural persons.  

The most frequent subject of the personal data protection proceeding was reviewing the legal regulations required when processing personal data via camera systems. And the most frequent violation was a violation of the legal basis of processing, respectively contrary to the principle of integrity and confidentiality, which was linked to the failure to take appropriate security measures by processors.

[1] Ekdeeps, Sensitive data have been compromised for months on the Internet – Home – News, 17 September 2020

[2] Office for Personal Data Protection of the Slovak Republic


  

Spain

BDO Local Resources

David Molina | [email protected]  +34 676 587 589

Roger Perez | [email protected]+34 696 723 386

Law: GDPR, Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD)

Regulator: Spanish Data Protection Authority ('AEPD')

Adequacy Agreement with GDPR: n/a

Measures Announced

Overview

The AEPD is one of the most active data protection authorities in Europe in terms of issuing enforcement actions and responding to data subjects’ complaints and requests. Since 2018, the AEPD filed approximately 295 complaints[1].

According to the GDPR Enforcement Tracker[2], fines and penalties by year include:

YearCount of FinesPenalties (EUR/USD) 
2021 (through August)
124€23,461,800
2020133€8,152,710
201938€1,318,100
201800


There have been no relevant legislative changes in privacy in the last year, but our Spanish Data Protection Authority has increased the number of sanctions and the economic number of sanctions for companies of all sizes.

Data Protection Authority Focus

Companies of all sizes have been fined for breaches of the RGPD that are very different from each other (from data breaches not notified to e-mails without hidden copy through the content of the privacy policy or the transfer of data between companies or legitimate interest).

[1] GDPR Enforcement Tracker, 2021

[2] Ibid.


  

Switzerland

BDO Local Resources

Klaus Krohmann | Email | Phone

Law: Federal Act on Data Protection 1992 ('FADP'), 2020 FADP Revisions (German, French, Italian)

Regulator: Schweizer Datenschutzgesetz - Federal Data Protection and Information Commissioner ('FDPIC')

Adequacy Agreement with GDPR: yes

Measures Announced

Overview

The Swiss Parliament enacted a total revision of the Swiss Data Protection Act (DPA) in fall 2020. However, while the revised DPA is based on principles equivalent to the GDPR, it is not just a copy of the GDPR. The rules in the revised DPA deviate slightly from the GDPR in the details. The Swiss DPA is somewhat less detailed and thus, gives some more room for interpretation. Like the GDPR, the revised DPA will also have an extraterritorial effect. There are data incident notification duties and data subject access rights. The revised DPA grants several exceptions relating to the information duties upon collection of the data.  Data transfers to countries with an equivalent level of data protection are privileged. The revised DPA is expected to enter into force, most likely as of 1 July 2022. There will be no grace period.

Data Protection Authority Focus

Contrary to the administrative fines against the company in the GDPR, the revised Swiss data protection act provides for penal sanctions against responsible persons in the organization. For instance, in a Swiss limited liability company, that means that the board of directors is liable in the first instance. He is responsible for ensuring data protection compliance within the organization, and he should regularly seek reports on the organization's maturity concerning the gaps and potential improvements.


  

Turkey

BDO Local Resources

BDO Turkey Office

Measures Announced

Overview

The Turkish Personal Data Protection Code (PDPC) was enacted on 24 March 2016 and has been published in the Official Gazette on 7 April 2016.  Together with the PDPC, the Turkish Personal Data Protection Authority has been established. The Authority had determined a compliance period for people, companies and institutions until 7 April 2018. Data controllers who employ more than 50 employees in a year or whose total annual financial statement is more than 25 million TRY must be registered to the online portal of the Authority called “VERBIS” until 31 December 2019.

Since the Authority has been established more recently and because of not having sufficient inspectors, the investigations are commenced upon complaints. However, expanded per se investigations for some sectors such as banking and telecommunication are expected in the near future.

The penalties regulated by the law and related legislations are between 20,000 TRY and 1,500,000 TRY. Although the penalties may seem relatively low compared to other EU Member States, the Authority tends to penalize the data controllers at the upper limits in cases where there has been a breach of the law.

Recent Updates

The Turkish Personal Data Protection Authority (KVKK) has provided general guidance on protecting personal information during COVID:

  • Resulting from the obligation to protect the health and safety of the general public, the personal data protection law allows for public authorities to use personal information to send public health announcements to personal phones, emails, and text messages without consent
  • During work from home efforts resulting from COVID-19, personal equipment can be used to stand in for enterprise managed equipment. Organizations will still be responsible for data protection and should train employees on how to use personal equipment for work safely. 
  • KVKK advises that while keeping employees apprised of developments is necessary, it is not needed to identify an individual when notifying that a colleague has tested positive for COVID-19
  • Employers are justified in requesting both risky travel and COVID-19 symptom-related details from employees, so long as it is necessary and proportional 

Additionally, the KVKK also provided guidance on location tracking during COVID-19:

  • As allowed under emergency conditions, Turkish citizen and resident personal data is being legally processed to combat COVID-19, including contact information, health information, and physical location
  • For this processing to continue to be lawful, processing organizations must take care to apply all fundamental principles of data privacy and security 
  • KVKK finds no undue invasion of privacy in processing personal location data during the COVID crisis to ensure isolation of infected individuals or identify crowded areas.

Relative to distance learning, the KVKK provided guidance during the COVID-19 pandemic:

  • Leveraging distance learning platforms involves processing a substantial amount of personal and biometric data, including name, image, and voice.
  • Biometric data like voice and image are considered special categories of personal information and carry stricter regulatory requirements for processing.
  • Most distance learning platforms are cloud based and have data centers located abroad. The use of such platforms, and the transfer of data to those external data centers, may not comply with data protection regulations. Therefore, take extra caution in applying the controls required for processing special categories of personal information.


  

United Kingdom

BDO Local Resources

Christopher Beveridge | Email | Phone

Law: UK Data Protection Act 2018 (DPA 2018), UK General Data Protection Regulation (Regulation (EU) 2016/679) (‘UK GDPR’)

Regulator: The Information Commissioner's Office ('ICO')

Adequacy Agreement with GDPR: yes

Measures Announced

Overview

The UK exited the European Union and they adopted two adequacy decisions for the UK:

Commission Implementing Decision of 28 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council

Data Protection Directive with Respect to Law Enforcement (Directive EU 2016/680, Commission Implementing Decision of 28 June 2021 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the Adequate Protection of Personal Data by the United Kingdom

COVID-19 and the processing of health-related data is another key focus for the UK. The ICO issued guidance as to what companies can do with health-related information. Additional guidance around working from home followed shortly after that.

Data Protection Authority Focus

Despite the developments of Brexit and COVID-19, the UK’s ICO was busy in 2020, and this continued into 2021. The ICO had several comments calls, including direct marketing and the Age Appropriateness Code (collection of minor’s information). They also guided data subject access requests and criminal offence data. Separately, the UK Governmental Department for Culture, Media & Sports (‘DCMS’) launched a consultation on a National Data Strategy. In September 2021 the DCMS launched its Cyber Security Breaches Survey 2022, which details the costs and impacts of cyber breaches and attacks on UK businesses[1].

The UK also reacted to guidance pushed out from the European Union, notably regarding consent, data protection by design & default, and health data processing, especially for reasons attributed to COVID-19.

In September 2021 the UK Government the DCMS presented to Parliament the National Artificial Intelligence (‘AI’) strategy. The strategy lays out a long-term plan for the UK AI ecosystem, support requirements, and the governance structure.

In 2020, investigations and sanctions continued to rise. The most notable cases include British Airways (fine, £20.0 M[2] or $27 M) and Marriott Group (fine, £18.4 M[3] or $24 M). More recently, Ticketmaster was fined £1.25 M ($1.7 M), and an EasyJet data breach investigation is underway. EasyJet is managing litigation and class action suits that resulted from the compromise of approximately 9.4 million customers and 2,208 credit card details accessed[4]

[1] CBI/ABI, Cyber Security Breaches Survey 2022 Frequently Asked Questions

[2] ICO, ICO Fines British Airways £20m for data breach affecting more than 400,000 customers, 16 October 2020

[3] ICO, ICO fines Marriott International Inc £18.4million for failing to keep customers’ personal data secure, 30 October 2020

[4] IDC, easyJet Data Breach – Rebuilding Trust Now a Priority, 22 May 2020