Category: DPA actions

Summary paper by Taylor Wessing (51 pages), which keeps getting updated.

https://deutschland.taylorwessing.com/documents/get/1859/ubersicht-behordlicher-stellungnahmen-zur-dsgvo.pdf

http://www.enforcementtracker.com/

Trying to keep track of GDPR enforcements, fines and sanctions. – The CMS tracker has also GDPR fines models e.g. for Germany.

Another tracker:
https://www.dsgvo-portal.de/dsgvo-bussgeld-datenbank.php

https://www.ftc.gov/system/files/documents/reports/privacy-data-security-update-2018/2018-privacy-data-security-report-508.pdf

• Data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes.
  
• Company did not meet the information obligation in relation to over 6 million people.
  
• Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data.
  
• Some additional comments by Piotr Foitzik (IAPP forum on LinkedIn): The company also processed data of millions of people who were sole traders in the past and are not anymore. When it will send postal letters to postal addresses which are not correct and are outdated, this will result in a data breach. The fact that a legal basis has not been analyzed, and were it to be a legitimate interest a balancing test would need to be conducted, does not mean that processing was legitimate but that unfortunately the authority did not discuss some of the core issues here. All in all, publicly available information, including that of entrepreneurs is also subject to the GDPR and in this instance the data became public not as their free choice, but as it is a legal requirement in Poland, but this requirement also serves for specific purposes and the processing should be in line with these purposes

https://edpb.europa.eu/news/national-news/2019/first-fine-imposed-president-personal-data-protection-office_en

Grove, a Kent pensions company, which relied on ‘misleading’ professional advice has been fined £40,000 by the Information Commissioner’s Office for being responsible for sending nearly two million direct marketing emails without consent. Grove utilised the servie of a third party marketing agent to carry out a range of marketing functions on their behalf, including lead generation.

Grove, by extension through this marketing agent, would work with “email providers”, who essentially provided a hosted marketing service by sending out “pre-approved emails” to opted-in subscribers contained within data sets which they themselves supplied.

Mitigating factors (that helped reduce the penalty):

1) “extensive consultation” with a recognized specialist data protection consultancy (even though this advise was obviously not quite right) as demonstrated awareness of obligations and a generally positive and http://pro.active  approach to data protection

2) Number of complaints received was minimal.

3) No evidence that activity continued beyond period set out within the Notice

4) Cooperation with ICO investigation

https://ico.org.uk/media/action-weve-taken/mpns/2614585/grove-pensions-mpn-20190326.pdf

https://www.cnil.fr/en/presentation-2018-activity-report-and-2019-issues-french-data-protection-authority

https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/gezondheid/medisch-dossier

https://www.bfdi.bund.de/SharedDocs/Publikationen/Taetigkeitsberichte/TB_BfDI/27TB_17_18.html?nn=5217154