GDPR 3 years on – The greatest hits (and misses)


More than three years have passed since the GDPR applied and a lot has happened in the world of data protection during that time – fines, class actions, court challenges and more. We give our “playlist” of the greatest hits (and misses). Our previous article marking 12 months of GDPR had a cinematic theme. Now, we’re giving the three-year anniversary of GDPR a musical twist.

1. All the Single Ladies (credit to Beyoncé Knowles, Terius Nash, Thaddis Harrell, and Christopher Stewart)

Brexit: “If you liked it, you should[n’t] have put a [referendum] on it…”

The United Kingdom left the European Union and now has its own data protection regime in the form of the Data Protection Act 2018 and the UK GDPR. For now, this is largely based on the EU GDPR but we expect further divergence in future as the UK seeks to establish itself as a favourable place for overseas companies to do business.

Dadocracia ep. 62: Chuva de multas

As multas por conta de usos indevidos de dados pessoais estão se tornando mais comuns no mundo – e no Brasil. Neste episódio do Dadocracia, falamos sobre algumas dessas multas, além de iniciativas para educação de jovens na proteção dos seus dados na internet.

Fonte: Dadocracia by Data Privacy Brasil na

GDPR: European Commission adopts adequacy decision permitting data transfers to UK, but challenges likely

Monday, days before the deadline of 30 June, the Commission published its implementation decision deeming the UK adequate for the purposes of onward transfers under the GDPR. The Commission’s decision followed on from its draft adequacy finding published in February and a largely positive opinion from the European Data Protection Board in April.

Carrefour é multado em 3.8 milhões de euros por descumprimento da GDPR

O Carrefour, multinacional francesa de supermercados com operações em mais de 30 países, foi multada em €3 milhões (quase RS$ 20 milhões) por múltiplas violações do Regulamento Geral sobre a Proteção de Dados (GDPR). Informações são da Infosecurity Magazine.

De acordo com o portal, a multa foi aplicada pela Comissão Nacional de Computação e Liberdade (CNIL), uma das principais organizações reguladoras do GDPR na Europa. Além da rede mundial de supermercados, o Banco Carrefour, conhecido por Carrefour Soluções Financeiras no Brasil, também foi multado pelo órgão, em € 800 mil (mais de RS$ 5 milhões).

H&M hit with €35.3m fine for GDPR employee breach

How did H&M’s internal data collection processes land it with the second largest fine in data breach history?

The key takeaway

Despite the catastrophic financial impact of COVID-19, the Hamburg State Commissioner for Data Protection and Freedom of Information (HmbBfDI) showed no signs of leniency in issuing H&M with the second largest fine ever to be handed to a single company for breach of the GDPR.

The background

The HmbBfDI announced on 1 October 2020 that it had fined the German subsidiary of fashion retailer H&M €35.3 million for the unlawful monitoring of employees in its centrally operated service centre in Nuremberg. On the same day, H&M announced it was to close 250 of its stores globally.

Thinking outside the (pre-ticked consent) box

The decision in Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal doesn’t particuarly break new ground, but rather reinforces what we already know about consent to data processing in the EU, namely:

  • That it must be freely given, specific, informed and unambiguous; and
  • Silence, inactivity or pre-ticked boxes don’t meet this standard.

GDPR offers possibilities for scientific research in the context of COVID-19 (but must be observed)

Nowadays, researchers hunt for the right vaccine for protection against the virus and/or and medication for the effective treatment of coronavirus patients. That means a lot of scientific research. And that often leads to questions about the protection of personal data. To what extent can health data be used for these purposes and how does one ensure that – even in times of crisis – the requirements of the General Data Protection Regulation (“GDPR”) are met?

€35 Million Fine Issued Under GDPR For Employee Monitoring And IT Security Failings In Germany

During the COVID-19 pandemic, data privacy – and, in particular, employee data privacy – has been at the forefront of employers’ minds.  In the last six months, employers across the globe have been required to give careful thought to a whole host of potential issues, from contact tracing apps to temperature and other health checks in the workplace, as well as processing an increasing volume of health data of its staff. Whilst not COVID-19 related, a recent decision from the Hamburg Commissioner for Data Protection and Freedom of Information in Germany (the “Commissioner”) is an important reminder of the very significant financial and reputational sanctions an employer may face if it does not take appropriately collect, retain and protect employee personal data in line with GDPR.

A Cautionary Tale of Data Breeches and the GDPR after Hacker Steals Extremely Sensitive Data of 40.000 Psychotherapy Patients

In November 2018, a data security vulnerability in the systems of Vastaamo Oy (“Vastaamo”), a major provider of psychotherapy services in Finland, led to the names, personal identity numbers, and patient records of at least 40.000 patients being stolen by an unknown hacker.