Header graphic for print
Global Media and Communications Watch The International Legal Blog for the Tech, Media and Telecoms Industry

Tag Archives: DPA

Posted in Data Protection & Privacy Photo of Elisabethann Wright

Belgian DPA Issues Guidance on Temperature Measurements in the Context of COVID-19

In the context of their return-to-work policies companies are seeking solutions to detect individuals with fever at the entrance of their premises with the aim of preventing further contamination within the buildings. This can be achieved by means of conventional thermometers, digital fever scanners directed at the forehead of the person, or sophisticated thermal camera systems. The Belgian Data Protection Authority has issued a guidance in which it adopts a strict position regarding the implications of temperature screenings for individuals’ data privacy rights. More specifically, it provides that the simple

Posted in Policy & Regulation Photo of Paula Garcia

The ICO Updates Its Data Sharing Code of Practice

On 9 July 2019 the UK data protection authority (ICO) updated its Data Sharing Code of Practice (first published in 2011) (Code). On the same day, the ICO also announced its intention to fine Marriott International just over £99m for infringements of the General Data Protection Regulation (GDPR), highlighting the importance of due diligence in the context of data sharing. The Code, made under section 121 of the UK’s Data Protection Act (DPA), is publicly available for consultation until 9 September 2019. Once finalised, the Code will become a statutory

Posted in Data Protection & Privacy Photo of Ewa KacperekPhoto of Weronika Wolosiuk

First Fine Imposed by the Polish DPA Under the GDPR

The President of the Personal Data Protection Office in Poland (Polish DPA) imposed a fine amounting to PLN 943,470 (approximately EUR 220,000; approximately USD 245,977) for failing to fulfil the company’s transparency obligations towards over six million data subjects under Article 14 of Europe’s General Data Protection Regulation (GDPR). This is the first fine imposed by the Polish DPA under the GDPR and Poland’s Act on Personal Data Protection of 10 May 2018 implementing the GDPR. The decision provides some limited insights into the interpretation of the term “disproportionate effort”

Posted in Data Protection & Privacy, Policy & Regulation, Privacy and Security Litigation Photo of Eduardo Ustaran

EDPB Joins the Dots of ePrivacy and GDPR

On 12 March 2019 at its Eighth Plenary Session, the European Data Protection Board (“EDPB”) adopted its Opinion 5/2019 on the interplay between the ePrivacy Directive (“ePD”) and the General Data Protection Regulation (“GDPR”). The Belgian Data Protection Authority had, on 3 December 2018, requested that the EDPB examine the overlap between the two laws and in particular the competence, tasks, and powers of data protection authorities (“DPAs”). The EDPB adopted its Opinion in response to this request and in order to promote the consistent interpretation of the boundaries of

Posted in Cybersecurity, Data Protection & Privacy, Policy & Regulation, Privacy and Security Litigation Photo of Joke Bodewits

Dutch Data Protection Authority States Cookie Walls Violate GDPR

On 7 March 2019, the Dutch Data Protection Authority published guidance (in Dutch) that it considers “cookie walls” to violate the GDPR. A cookie wall is a pop-up on a website that blocks a user from access to the website until he or she consents to the placing of tracking cookies or similar technologies. Under current Dutch cookie law, functional and analytical cookies can be used without consent. Tracking cookies like those used for advertising may only be used if a visitor has given consent. According to the Dutch DPA, the

Posted in Cybersecurity, Data Protection & Privacy, Policy & Regulation, Privacy and Security Litigation Photo of Dr. Christian TinnefeldPhoto of Dr. Henrik Hanssen

GDPR Enforcement Update: Increasing Fines Expected from German DPAs | HL Chronicle of Data Protection

Many companies have been struggling with GDPR implementation over the past two years, putting much effort into new roles, privacy concepts, and workflows. Now that the dust of the immediate GDPR compliance rush is settling, the first details of fines imposed under the GDPR and the number of cases pending with Data Protection Authorities (DPAs) in Europe are being made public. In Germany, DPAs are investigating a broad range of non-compliance issues and showing a tendency toward increasing their enforcement activities, to the point that we expect an announcement of

Posted in Data Protection & Privacy

Hogan Lovells Updates Practical GDPR Guide

With the coming into effect of the GDPR on 25 May 2018, the modernisation of European privacy laws has reached a critical milestone. Businesses operating in Europe or targeting European customers now need to comply with the new regime. At stake are not only the consequences of non-compliance, but also the ability to take advantage of new technologies, data analytics and the immense value of personal information. From determining when European law applies to devising a workable cooperation strategy with national regulators, there are many intricate novelties to understand and address.

Posted in Data Protection & Privacy Photo of Victoria Hordern

Health Company Fined by UK’s Information Commissioner Office

Last week, the UK’s Information Commissioner’s Office (ICO) published a monetary penalty notice which fined a private healthcare company, HCA International, £200,000 for its failure to keep sensitive data secure. In this instance, several data protection compliance issues were at stake – HCA had engaged a subcontractor based in India to process sensitive personal data without putting an agreement in place that met the requirements of the Data Protection Act 1998 (DPA) and without taking steps to ensure an adequate level of protection for data transferred outside the EU. One

Posted in Data Protection & Privacy Photo of Jakub Baczuk

Polish DPA Releases Data Privacy Inspection Plans – Targets Health, Shopping

The Polish Data Protection Authority (GIODO) has just released its inspection plans for 2017. This year, the GIODO has decided to target its review of compliance with data protection laws on the health services and consumer sectors, with particular attention to certain profiling activities taking place in stores and shopping malls. The health sector inspections will be directed at healthcare professionals and clinics. The inspections will focus on the process of patient registration, the circumstances under which registration data is collected from patients, and the overall data security provided. The

Posted in Data Protection & Privacy

Future-Proofing Privacy: Enforcement and the Risk of Non-Compliance

One of the major purposes of the Regulation is to ensure a consistent application of data protection law throughout the EU, not only to provide a high level of data protection but also to guarantee legal certainty for businesses when handling personal data. This has presented legislators with one of their biggest challenges: how to maintain the existing network of independent national DPAs, whilst ensuring that they promote a consistent interpretation of the Regulation and minimising the number of different DPAs which a controller has to deal with. It remains to be seen whether they have devised a workable solution. Status and

Posted in Data Protection & Privacy Photo of Eduardo Ustaran

A New Turn in the Safe Harbor Roller Coaster

The roller coaster of developments affecting the Safe Harbor framework shows no signs of slowing down. It has taken a couple of years since Edward Snowden’s revelations for the train to reach to its highest point, but once the European Court of Justice (ECJ) ruled on the Schrems case, we knew it would be a bumpy ride. In the past weeks, most of the attention has focused on the EU data protection authorities, which are now more emboldened than ever and keen to capitalize on the ECJ’s decision to tighten

Posted in Data Protection & Privacy Photo of Timothy TobinPhoto of Tim Wybitul

European Commission Issues Opinion on Safe Harbor after Schrems

On November 6, 2015, the European Commission issued its widely anticipated Communication to the European Parliament and Council about the effect of the Court of Justice of the European Union’s (CJEU) Schrems decision, which invalidated the U.S.-EU Safe Harbor framework.  The Commission expresses a commitment to negotiate with the U.S. Government a new framework for cross-border transfers of personal data.  The Commission also emphasizes that the Communication does not have binding legal effect, but concludes that:  

Posted in Data Protection & Privacy Photo of Dr. Christian TinnefeldPhoto of Dr. Henrik Hanssen

Mobile Health in the EU (Part 1): Introduction to mHealth and Privacy Laws

Introduction to mobile Health and data protection laws The mobile Health (mHealth) sector is rapidly developing and revolutionising the healthcare market. More and more consumers share information such as medical and physiological conditions, lifestyles, daily activity and geolocation via all kinds of health-related mobile applications and devices. The growing success of mHealth, however, inevitably casts a spotlight on compliance with privacy protection laws. Data protection agencies (DPAs) and supervisory bodies in the EU recently raised concerns about the collection, processing and use of customers’ data by mHealth apps and mobile

Posted in Data Protection & Privacy, Policy & Regulation Photo of Dr. Marcus SchreibauerPhoto of Jan SpittkaPhoto of Lilly Taranto

Part 10: Enforcement and the Risk of Non-Compliance

One of the major purposes of the Regulation is to ensure a consistent application of data protection law throughout the EU, not only to provide a high level of data protection but also to guarantee legal certainty for businesses when handling personal data. This has presented legislators with one of their biggest challenges: how to maintain the existing network of independent national DPAs, whilst ensuring that they promote a consistent interpretation of the Regulation and minimising the number of different DPAs which a controller has to deal with. It remains