Dear Readers,

This is to update you on the latest news and developments in matters of data protection law.

If you would like to be provided with more details, don’t hesitate to contact us via the commentary function. We will also link to our blog posts (mostly in German), if we have already reported on this topic.

 What has happened lately?

1. New national data protection laws entered into force

Bulgaria has implemented the GDPR into national law. The new Data Protection Acts entered into force in February. Also, Nigeria has issued in January 2019 the Nigeria Data Protection Regulation 2019.

2. European Commission adopts adequacy decision on Japan

The European Commission has adopted on January 23th 2019 an adequacy decision on Japan, which will allow the free flow of personal data between the EU and Japan starting from the same date.

3. Privacy Shield Guidance

The U.S. Department of Commerce (‚DOC‘) has updated its guidance on the EU-US Privacy Shield. The DOC outlined whether a participant can rely on the Privacy Shield to receive personal data from the UK in light of the UK’s planned withdrawal from the EU. In particular, participants must update their Privacy Shield commitments as outlined in the Guidance, and these updates will depend on whether the UK withdraws from the EU with or without a transition period. The guideline can be found here:

4. Fines

a) Poland: The Polish data protection authority (‚UODO‘) has issued a fine of PLN 943,000 (approx. €219,000) against a company for its failure to comply with the General Data Protection Regulation. In particular, UODO highlighted that the company, acting as a data controller, failed to inform over six million data subjects that their personal data were being processed, which prevented them from exercising their rights under the GDPR.

b) UK : The Information Commissioner’s Office (‚ICO‘) has issued a monetary penalty of £40,000 on Grove Pension Solutions Ltd, for sending over two million direct marketing emails without consent. Grove Pension Solutions had instructed a marketing agent to use third party email providers to carry out hosted marketing campaigns that advertised the company’s services. This marketing activity violated Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

b) Denmark: The Danish data protection authority (‚Datatilsynet‘) has proposed its first fine under the GDPR. Taxa 4×35, a taxi company, was fined with DKK 1.2 million (approx. €161,000) for its failure to set adequate timeframes for deletion of customer information under Article 5(1) e of the GDPR. The company had stored personal data of customers for a longer period than necessary. Despite the deletion of customers‘ names after the period of two years, individuals remained identifiable, as information such as pick-up and destination addresses could still be attributed to their phone numbers, which were only deleted after five years.

c) France: The French data protection authority (CNIL) announced that it had issued a €50 million fine against Google LLC for compliance violations under the GDPR. The CNIL found that Google did not provide users with information relating to the purpose of data processing and data retention periods for marketing purposes in a clear and comprehensive way, as required by the transparency and information obligations under Articles 12 and 13 of the GDPR. Furthermore, in the opinion of the CNIL, Google did not have a legal basis for the processing of user data for personalized advertising. The collected consent was not valid, since it was not specific or unambiguous and users were not sufficiently informed as to the extent to which they were consenting to the data processing.