12th Newsletter -> 23 - 30 September 2016
Bavarian GDPR Sanctions Guidance
Data Protection Authority from the german federal state of Bavaria has issued a guidance document on compliance with the EU General Data Protection Regulation (GDPR). The guidance document provides information on the various new possible sanctions under the new regime. In the document the DPA declares that when administering fines it will penalise the whole entity and not just an individual company in a group. This has a significant meaning for the amount of a fine as the fine will be calculated as a percentage of the annual turnover of the entire group. Companies will be able to mitigate the level of a fine if they cooperate with the supervisory authority and if they have no history of privacy and data protection violations. Another interesting aspect of the Guidance document is that the DPA believes that organisations may be held responsible for data protection violations by their staff although the GDPR does not specify the extent to which fines may be imposed on employees.
Read more HERE
Read the Guidance document HERE (in German)
_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
Hamburg DPA issues an administrative order for Facebook to delete WhatsApp data
The Hamburg Commissioner for Data Protection and Freedom of Information (der Hamburgischen Beauftragten für Datenschutz und Informationsfreiheit) has on Tuesday issued an administrative order that prohibits Facebook to collect and store data of German WhatsApp users. Furthermore, Facebook is ordered to delete all data that has already been forwarded by WhatsApp. According to the Commissioner Facebook was infringing data protection law as it had not obtained effective approval from WhatsApp's 35 million users in Germany. The problem lies in the fact that after the acquisition of WhatsApp by Facebook two years ago, both parties have publicly assured that data will not be shared between them. The fact that this is now happening is not only misleading but also constitutes an infringement of national data protection law. In response Facebook, which has its German headquarters in Hamburg, stated that it complied with EU data protection law and that it will appeal against an order by the DPA.
Read the full Press Release HERE
_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
Privacy Shield: “Grace Period” to end on 30 September
The initial phase of the Privacy Shield Agreement or the so called “grace period” is coming to an end on 30 September. Organisations that already have or will submit their application for self-certification before the end of September 2016 will be granted nine-months to ensure that any existing third party contracts fulfil requirements of the Privacy Shield. Third parties will have to provide the same level of protection as that provided by the Privacy Shield, but do not need to self-certify.
According to Ted Dean, Deputy Assistant Secretary for Services at the US Department of Commerce, around 200 US companies have now been certified to the EU-US Privacy Shield. Companies such as Google, Salesforce, Dropbox and Oracle are now amongst those that have been certified. Another 300 companies are being reviewed and around 400 companies have started the procedures by submitting some information.
HERE you can find the full list of Privacy Shield certified companies
_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
Swiss Surveillance Law Passed
As we reported in our previous edition of Last Week in Privacy & Data Protection Swiss voters were on Sunday voting on the new law extending the national spy service's authority to monitor internet traffic, deploy drones and hack foreign computer systems. Some 65.5% of voters agreed to accept the proposal, which according to the first commentaries just show how concerned the Swiss have become about a possible militant attack.
Read more HERE
_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
Compiled by Jernej Mavrič, email: jm@dp-recruitment.com
