Proposed guidelines on GDPR fines by European DPAs

Organizations often ask how much chance they have on data protection fines and how much financial reserve they should make for that. Unit 27 June EDPB guidelines on calculating GDPR fines are released for public consultation. Interesting is to have a look at the example for mitigating and aggravating factors that could influence the height … Read more

What are the fining policies of EU Data Protection Authoritities?

Below an overview of the only comprehensive fining methodologies that were published so far by EU DPAs (specifically, by the Dutch, Danish, and Latvian DPAs), as well as the relevant draft Statutory guidance issued by the UK DPA (ICO) in 2020. Therefore, this analysis will also show how the approach of the ICO in this … Read more

Internal, external or shared DPO?

The CNIL – French DPA-published its guide for DPOs. This Guide analyzes, among other issues why and how to appoint a DPO, what means should be provided to fulfill its mission and the pros and cons of the internal, external and shared DPO roles are compared: 1) If you choose to appoint a member of the … Read more

French DPA 120K Fine for no data retention periods

The French DPA fined a French company for not having a retention period, keeping personal data since 2007. In fact they were using an out of date hashtag, not actually deleting data after data subject request. The CNIL fined the company 120.000 € for not taking all necessary measures to be compliant.

Not fulfilling a data subject access request 30K Euros fine

Hellenic DPA fines Company for failure to comply with a data subject’s access request for a video recording, resulting in a € 30’000 GDPR Fine. Based on the complaint of a data subject, the Greek Data Protection Authority imposed the fine because the company had not properly complied with the complainant’s request for information. The … Read more

Norwegian privacy regulator not on Facebook due to privacy risks

The Norwegian privacy regulator Datatilsynet has decided on the basis of research not to create a Facebook page because the privacy risks for users are too great. To the best of its knowledge, the regulator is the first organization to have carried out a risk analysis and a Data Protection Impact Assessment (DPIA) into the … Read more