you are being redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH
The first two years of the General Data Protection Regulation1 are almost behind us and we are getting used to daily news of imposed fines. Although the UK and France may be the "top enforcers", it isn't just the Western EU Member States that are taking this rather new regulation seriously. Leaving aside the "BA / Google" cases2,3, CEE countries have even "pioneered" GDPR enforcement. It is time to analyse if there are common incompliances which lead to significant fines or if the degree of harmonisation lags when it comes to GDPR enforcement. Let's have a look at the "top five" fines (until the end of September 2019) imposed in CEE countries where Schoenherr has offices:
Lessons learned:
What can we take away from those first major fines in CEE? These sample cases definitely show that the authorities are taking a closer look at data breaches. Irrespective of the data breach notification, which was not in dispute in the above-mentioned cases, the authorities will analyse the technical and organisational infrastructure of a data controller if a data breach with significant impact has occurred. This means that even if your company is subject to cybercrime, you should not forget about your own duties. Besides, those multiple transparency obligations (providing appropriate and readable information upfront) should be taken seriously. Just because the data are easily available online or because data protection is likely not the prime focus of the data subjects (as can be assumed in the case of festivalgoers) does not mean the data controller's obligation to act transparently is lifted. Companies should proactively and repeatedly evaluate their GDPR compliance structure. As often mentioned during the GDPR preparation phase, GDPR compliance is not a one-off task but requires steadfast attention.
Co-Author: Costin Sandu
1Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive), Journal L119, 4 May 2016, p. 1–88.
2Intention to fine British Airways GBP 183.39m under the GDPR for data breach; ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/
3Deliberation of the Restricted Committee SAN-2019-001 of 21 January 2019 pronouncing a financial sanction against GOOGLE LLC, available under: www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc.
4https://www.cpdp.bg/en/index.php?p=news_view&aid=1519
5https://www.cpdp.bg/en/index.php?p=news_view&aid=1514
6https://www.dataprotection.ro/index.jsp?page=Comunicat_Amenda_Unicredit&lang=en
7Responsible for the SZIGET, the VOLT and the Balaton Sound Festival.
Stefana
Tsekova
Local Partner
bulgaria