More than three years have passed since the GDPR applied and a lot has happened in the world of data protection during that time – fines, class actions, court challenges and more. We give our “playlist” of the greatest hits (and misses). Our previous article marking 12 months of GDPR had a cinematic theme. Now, we’re giving the three-year anniversary of GDPR a musical twist.
1. All the Single Ladies (credit to Beyoncé Knowles, Terius Nash, Thaddis Harrell, and Christopher Stewart)
Brexit: “If you liked it, you should[n’t] have put a [referendum] on it…”
The United Kingdom left the European Union and now has its own data protection regime in the form of the Data Protection Act 2018 and the UK GDPR. For now, this is largely based on the EU GDPR but we expect further divergence in future as the UK seeks to establish itself as a favourable place for overseas companies to do business.
Monday, days before the deadline of 30 June, the Commission published its implementation decision deeming the UK adequate for the purposes of onward transfers under the GDPR. The Commission’s decision followed on from its draft adequacy finding published in February and a largely positive opinion from the European Data Protection Board in April.
O Carrefour, multinacional francesa de supermercados com operações em mais de 30 países, foi multada em €3 milhões (quase RS$ 20 milhões) por múltiplas violações do Regulamento Geral sobre a Proteção de Dados (GDPR). Informações são da Infosecurity Magazine.
De acordo com o portal, a multa foi aplicada pela Comissão Nacional de Computação e Liberdade (CNIL), uma das principais organizações reguladoras do GDPR na Europa. Além da rede mundial de supermercados, o Banco Carrefour, conhecido por Carrefour Soluções Financeiras no Brasil, também foi multado pelo órgão, em € 800 mil (mais de RS$ 5 milhões).
How did H&M’s internal data collection processes land it with the second largest fine in data breach history?
The key takeaway
Despite the catastrophic financial impact of COVID-19, the Hamburg State Commissioner for Data Protection and Freedom of Information (HmbBfDI) showed no signs of leniency in issuing H&M with the second largest fine ever to be handed to a single company for breach of the GDPR.
The HmbBfDI announced on 1 October 2020 that it had fined the German subsidiary of fashion retailer H&M €35.3 million for the unlawful monitoring of employees in its centrally operated service centre in Nuremberg. On the same day, H&M announced it was to close 250 of its stores globally.
The decision in Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal doesn’t particuarly break new ground, but rather reinforces what we already know about consent to data processing in the EU, namely:
- That it must be freely given, specific, informed and unambiguous; and
- Silence, inactivity or pre-ticked boxes don’t meet this standard.
Nowadays, researchers hunt for the right vaccine for protection against the virus and/or and medication for the effective treatment of coronavirus patients. That means a lot of scientific research. And that often leads to questions about the protection of personal data. To what extent can health data be used for these purposes and how does one ensure that – even in times of crisis – the requirements of the General Data Protection Regulation (“GDPR”) are met?
During the COVID-19 pandemic, data privacy – and, in particular, employee data privacy – has been at the forefront of employers’ minds. In the last six months, employers across the globe have been required to give careful thought to a whole host of potential issues, from contact tracing apps to temperature and other health checks in the workplace, as well as processing an increasing volume of health data of its staff. Whilst not COVID-19 related, a recent decision from the Hamburg Commissioner for Data Protection and Freedom of Information in Germany (the “Commissioner”) is an important reminder of the very significant financial and reputational sanctions an employer may face if it does not take appropriately collect, retain and protect employee personal data in line with GDPR.
H&M was hit earlier this month with the second-largest fine under the GDPR to date after a series of data protection failings relating to its employment practices at its Nuremberg service centre were investigated by the State Data Protection Commissioner in Hamburg.
In November 2018, a data security vulnerability in the systems of Vastaamo Oy (“Vastaamo”), a major provider of psychotherapy services in Finland, led to the names, personal identity numbers, and patient records of at least 40.000 patients being stolen by an unknown hacker.