Loud and Clear! CNIL sends strong privacy with new €40 million fine of CRITEO

French Data Protection Authority, the CNIL, has fined advertising company CRITEO €40 million for improper conduct in handling users’ personal data. This is one of the largest fines of its kind, and perhaps a sign of a new era. ...Mehr lesen

Data transfers across the Atlantic… a storm in a teacup?!

The European Commission's new adequacy decision concerning the United States puts a stop to the European doctrine that was taking shape on the use of American tools involving transfers of personal data across the Atlantic, not without a touch of perplexity. ...Mehr lesen

The Polish Supreme Administrative Court concluded “ saga”

In its judgement from February 2023, the Supreme Administrative Court of Poland announced a significant decision from 2019 of the Polish DPA that imposed a substantial fine of PLN 2.8 million (ca. 645,000 euros) against the online retailer, The decision ...Mehr lesen

Barbados urges banks to bolster cyber resilience with new guideline

The Central Bank of Barbados recently published its Technology and Cyber Risk Management Guideline. Not only does the Guideline require banks to implement a cyber risk framework, it holds them responsible for ensuring the framework’s resilience and robustness in ...Mehr lesen

New Guidelines With Updated Obligations on Cookies in Spain: Companies Have Just a Few Months to Adapt Their Websites

The Spanish DPA (AEPD) published earlier this week new guidelines on cookies in order to update the existing ones to the recommendations of the European Data Protection Board (EDPB). ...Mehr lesen

Data Privacy in Peru: Considerations for foreign personal data controllers with no physical presence in the Peruvian territory.

As in the case of other Latin American and European jurisdictions, the scope of data protection rules in Peru has been designed to be circumscribed to a territorial scope based on a local establishment criterion, which creates obligations for data controllers before ...Mehr lesen

“Another breach in the wall” – the Polish DPA’s views regarding data security and notifying data breaches under the GDPR

In the ever-evolving landscape of data protection and privacy regulations, organizations must remain vigilant in upholding the security of the personal data they handle. A recent decision issued by the Polish DPA underscores this critical aspect, as the Polish DPA ...Mehr lesen

Recommendations for reliable artificial intelligence

Argentine Information Technology Subsecretariat approves a set of recommendations for trustworthy artificial intelligence (“AI”), specifically directed to the public sector. ...Mehr lesen

Serious Criticism and Injunction Issued for using Facebook Business Tools

The Danish Data Protection Authority, Datatilsynet, has issued severe criticism of Boligportal, Denmark's largest online marketplace for rental properties, for failing to demonstrate compliance with the General Data Protection Regulation (GDPR) in their handling of ...Mehr lesen

Is the Austrian Communication-Platforms-Act contrary to EU law?

On 8th June 2023 the ECJ’s Advocate General, Maciej Szpunar, delivered his opinion in the Case C-376/22, concerning the conformity of the so-called Austrian Communications-Platforms-Act („Kommunikationsplattformen-Gesetz“ – “KoPl-G”) with EU-law. As it appears, according ...Mehr lesen

A new member has joined the INPLP: Ibrahim Can Cayirpare (Turkey)

...Mehr lesen

Upcoming: The 8th annual conference

November 17th – 18th (Dublin, Ireland) ...Mehr lesen

Another new direction: UK reintroduces the Data Protection and Digital Information Bill, but what's changed?

On 8 March 2023, the Department for Science, Innovation and Technology ("DSIT") introduced the Data Protection and Digital Information (No. 2) Bill (the "Bill"), extinguishing the previous Data Protection and Digital Information Bill (the "Previous Bill"). The Bill is ...Mehr lesen

The cost of non-compliance with the GDPR – the Data Protection Commission issues a record fine of €1.2 billion against Meta Ireland

On 22 May 2023, the Irish Data Protection Commission (DPC) announced the conclusion of its inquiry into Meta Platforms Ireland Limited (Meta). This inquiry concerned the manner in which Meta transferred personal data out of the EU to the US. The DCP found that Meta ...Mehr lesen

Bulgarian DPA Introduce Deep Audits as a Standard Practice in Cases of Data Breaches

Bulgarian DPA is currently applying on a regular basis a new procedure in cases of data breach notifications which includes complex questionnaires covering all the data processing activities of the data controller and extensive requests for provision of documents and ...Mehr lesen

Curricula vitae vs Transparency equals? Do political appointments fall under data privacy?

The type of information we need to know
Publication of the CVs of persons holding public office serves the principle of transparency ...Mehr lesen

Data Subject Requests Under Turkish Data Protection Law

The Law on Protection of Personal Data w. no. 6698 (“DPL”) contains data subject rights that are similar to those that can be found in the General Data Protection Regulation. While certain rights are common, the exercise of the right under the DPL is subject to certain ...Mehr lesen

Biometric Data and their “sensitivity” under Mexican Data Protection Laws

Mexico has not yet explicitly included biometric data as a special category of personal data (or sensitive data), but this has not stopped the Mexican data protection authority from deciding that this data shall be protected as such. How is it doing it so? ...Mehr lesen

Argentina: Ratifies Convention 108+

Argentina becomes the 23rd state to ratify Convention 108+. ...Mehr lesen

Sweden: The EU implements the Travel Rule for transfers of crypto-assets

The so-called “Travel Rule” will soon be extended to cover transfers of crypto-assets following the approval of the revised Transfer of Funds Regulation. Crypto Asset Service Providers and intermediaries registered in the European Union will be obligated to collect, ...Mehr lesen

Norway: The Norwegian DPA bans the government’s collection of supermarket data for statistical purposes

Statistics Norway (SSB) is a Norwegian government agency that is responsible for development of official statistics for public administration purposes. SSB recently ordered the major Norwegian food supermarket chains to transfer data about all individual purchases to the ...Mehr lesen

Smile, you're being recorded!

Following the American and European trend, Portugal is now one of the countries that has determined the use of Bodycams by security forces in some situations. With the entry into force of this regime, it remains to be seen whether the personal data and privacy of ...Mehr lesen

As the last EU state, Slovenia passed Personal Data Protection Act

As of 2023 data privacy in Slovenia will be governed by the newly passed Personal Data Protection Act (ZVOP-2), which aims to bring country’s data protection framework in line with the GDPR. Slovenia became the last EU member state to fully implement the GDPR into its ...Mehr lesen

What steps should employers take when publishing the labor act on the notice board to comply with labor act publication regulations in Serbia?

According to the Labor Law of the Republic of Serbia, if an employee refuses to accept at the premises of the employer a document regarding his/her employment status, the employer is obliged to publish that document on the notice board in order to deliver it. After a ...Mehr lesen

New Cookie Regulations in Japan – Amendment of Telecommunications Business Act

The Telecommunications Business Act (“TBA”) is a law administered by the Ministry of Internal Affairs and Communications of Japan. Under the amended law, certain regulations for telecommunication businesses sending information to third parties (including cookies) have ...Mehr lesen

Authority is planning to overhaul the decade old data protection regime in Hong Kong – business should prepare for changes

The Hong Kong Privacy Commissioner for Personal Data has release signs of revamping the data protection regime in the region that will bring the standard of personal data protection in Hong Kong closer to her international counterparts. Detailed proposals remain to be ...Mehr lesen

Brazilian DPA can start to apply fines now

After two years of the law in force, and a countless actions to ensure compliance with the data protection regulation in Brazil, the parameters and criteria for applying fines of LGPD (Brazilian General Law of Personal Data Protection) were finally defined. ...Mehr lesen

The Data Protection Commission’s 2022 Annual Report

On 7 March 2023, the Data Protection Commission (“DPC”) released its 2022 Annual Report. We have summarized the key points from the 90-page Report below. ...Mehr lesen

2022 was a busy year for all privacy practitioners. This active spirit did not skip over Israel and its citizens

Among the privacy changes some interesting Legislative amendments were proposed to the Israeli Privacy Protection Law (correction number 14) dated January 2022: ...Mehr lesen

Transparency in the sights of the Luxembourg data protection Authority

As in the past, the Luxembourg data protection Authority (the “CNPD”) launched in 2020 a thematic investigation on transparency (Article 12.1 of the GDPR). This investigation resulted in interesting and useful decisions of 13 December 2022 on the Authority's expectations ...Mehr lesen

I Meta Tracking Tools Illegal – Austrian Data Protection Authority Holds That the Use Directly Violates the Gdpr and the “Schrems II” Decision

The Austrian Data Protection Authority (DPA) decided (6th of March 2023, D155.028, 2022-0.726.643) that the use of the Facebook Business Tools “Facebook Login” and “Facebook Pixel is violating the GDPR. The DPA held that the findings made in the “Google Analytics ...Mehr lesen

Facebook is in trouble again …

… And this time it’s not Max Schrems who’s behind it.

On March 15, 2023, the Amsterdam District Court ruled that Facebook Ireland violated the law by unlawfully processing the personal data of Dutch Facebook users. The Schrems rulings had already made it clear that ...Mehr lesen

Am I My Brother’s Keeper?

Understanding the Importance of Data Protection Compliance Management in Processing Chains: Key Takeaways from the CJEU’s “Proximus” Judgement C-129/21 ...Mehr lesen

The privacy risks of the “virtual friend”: the Italian DPA clamps down Replika

The Italian Data Protection Authority (“Garante Privacy”) has ordered the limitation of the data processing activities carried out by the Replika chatbot due to minors’ data protection concerns. ...Mehr lesen

The ‘Chat GPT Effect’ – Parsing Privacy and AI Regulation in India

The increasingly common use of AI in our daily lives raises multiple concerns, particularly around data privacy and regulatory preparedness. In this article, we discuss the privacy risks associated with AI and the position under Indian law. ...Mehr lesen

2022 and 2023 in Baltic Data Protection

At the end of January, we celebrated Data Protection Day. To mark that annual occasion, TGS Baltic’s Data Protection Team compiled an overview of the key market and enforcement trends in the Baltic region in 2022 and our predictions and recommendations for 2023. ...Mehr lesen

China first attempt to regulate deepfake-like risks.

China recently released an administration regulation on the use of deep synthesis technologies and their use on the internet. The regulation regulates some of the typical technologies and scenarios that are commonly seen on the internet nowadays. ...Mehr lesen

Online identifiers are not always personal data

The Voivodeship Administrative Court in Warsaw recognizes online identifiers, including cookies, should not be automatically categorized as personal data. Thus the Polish Court is at variance with the Polish DPA’s stricter position on that subject. ...Mehr lesen

Cyber insurance: the French legal framework is changing

France makes the payment by insurers in case of cyber attacks conditional upon the prior filing of a criminal complaint within 72 hours. ...Mehr lesen

The Guidelines on Use of Cookies in Turkey

The Guidelines on Use of Cookies (the “Guidelines”) was published by the Personal Data Protection Authority (the “Authority”) on June 20, 2022 which outlines good practice examples to guide data controllers. The Guidelines explain principles on use of cookies for data ...Mehr lesen

Non-material Damage for Data Protection Breaches before the Irish and EU Courts – Clarity Ahead?

Data protection claims are in the dock. The Irish Circuit Court has temporarily halted proceedings for non-material damage claims pending clarity from decisions by the Court of Justice of the European Union on compensation for non-material damage in relation to 'mere ...Mehr lesen

The Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) solves an important problem in the EU financial regulation, as it “aims to consolidate and upgrade ICT risk requirements as part of the operational risk requirements that have, up to this point, been ...Mehr lesen

A new member has joined the INPLP: Bartlett D. Morgan (Barbardos)

...Mehr lesen

A new member has joined the INPLP: Laura Fannin (Ireland)

...Mehr lesen

The interplay between contractual relations and the GDPR’s security principle: A lesson from France

Security breaches and data loss are a core concern of any controller or processor. What possible avenues of redress can a Controller have when data losses are caused due to failings by its Processor? A recent case from the Lille Commercial Court in the context of the OVH ...Mehr lesen

First European Report on the Use of Cloud Computing in the Public Sector From the Privacy Perspective

The Spanish DPA (AEPD) just published the conclusions of this first European report, coordinated by the European Data Protection Board, on the use of cloud in the public sector. This article summarizes its privacy and data protection implications. ...Mehr lesen

The largest bank in Denmark - Danske Bank - is set to be fined DKK 10 million (approximately € 1.35 million)

The Danish Data Protection Authority has found that the largest bank in Denmark - Danske Bank - has failed to demonstrate that it has deleted personal data in accordance with GDPR and has therefore reported Danske Bank to the police and imposed a fine of DKK 10 million ...Mehr lesen

Data Controller Registry Requirement in Turkey

In accordance with Personal Data Protection Law No. 6698 (the “DPL”) and the Regulation on Data Controllers’ Registry (“Regulation”), data controllers must be registered with the Data Controllers’ Registry (“VERBIS”) in Turkey. There are certain thresholds in terms of ...Mehr lesen

Do you think that a black van serves only transportation purposes? Well, maybe you want to reconsider your opinion!

How Cyprus found itself in the epicenter of the spy scandal in Greece ...Mehr lesen

The lists for financial support for vulnerable categories of citizens must be removed from the web sites of the competent authorities.

The lists for financial support for vulnerable categories of citizens may be available to the public only during the duration of the deadline for submitting of an objection by the affected beneficiary ...Mehr lesen