November 2, 2020
Preparing for the Brexit Endgame
[#GDPRandBrexit #UKrepresentative] “As the end of the year closes in, UK firms are finding themselves once again confronting the uncertainty of Brexit – and, for some, what it will mean for international data transfers.
[…] Finally, businesses need to consider the application of Article 27 GDPR. In some circumstances, this requires a non-EU organisation that does not have an ‘establishment’ in the EU to appoint a ‘Representative’ within the EU in relation to its processing of the data of EU citizens. Presently, in the transition phase, UK organisations do not need to do this. However, when the UK becomes a ‘Third County’ and if the requirements are met, UK organisations must have a ‘Representative’ in the EU. The UK is likely to have a similar regime and so EU organisations may also need to appoint a ‘Representative’ in the UK if they process the data of UK citizens. Hence, organisations need to check if they are affected by this requirement.”
To read more: Click here
Germany: New case-law on immaterial damages for GDPR infringements
[GDPRinfringements #GDPRcaselaw] “When it comes to infringements of the EU General Data Protection Regulation (GDPR), the first thing that comes to mind are proceedings and fines imposed by the data protection authorities. It is often neglected that GDPR infringements may also trigger claims for damages under Article 82 GDPR.
In fact, it is becoming increasingly popular among data subjects to file claims for damages against companies for (alleged) GDPR infringements. Especially where larger numbers of data subjects are affected, such as after a data breach, damage claims can also pose a significant financial risk for companies.
Accordingly, German courts have to decide ever more frequently on GDPR-related damage claims. We provide a summary of the most recent case-law by German courts and fields typically associated with a high risk of private enforcement.”
To read more: Click here
Uber Drivers challenge dismissal by algorithm
[#Uber #UberAlgorithm #AutomatedDecisions] “On 26 October 2020, three drivers from the United Kingdom and a driver from Portugal filed an application with the District Court of Amsterdam. The drivers request a court order to overrule the automated decisions by Uber regarding alleged fraudulent activities and the deactivation of their account. The drivers are represented by their attorney, Mr. Anton Ekker.
The drivers are supported by the App Drivers and Couriers Union (ADCU), the International Alliance of App-based Transport Workers (IAATW) and Worker Info Exchange.”
To read more: Click here
ICO issues enforcement notice to Experian over unlawful use of data for marketing purposes
[#ICO #EnforcementNotice #DataProcessingInvestigation] “The Information Commissioner’s Office (ICO) has issued an enforcement notice to Experian over unlawful use of data for marketing purposes, which Experian plans to appeal.
The credit reference agency (CRA) Experian, has been ordered by the ICO to make “fundamental changes” to how it handles people’s personal data within its direct marketing services after a two-year investigation into the agency revealed “invisible” data processing and insufficient privacy information.
The investigation looked at the provision of offline marketing services by three data brokers – Experian, Equifax and TransUnion. It focused on the processing of personal data in the UK about individuals residing in the UK. It did not, the report says, look at the CRA’s credit referencing functions.”
To read more: Click here
Strategy for EU institutions to comply with “Schrems II” Ruling
[#EDPS #SchremsII #EUUSDataTransfers] “The European Data Protection Supervisor (EDPS) issued today a strategic document aiming to monitor compliance of European institutions, bodies, offices and agencies (EUIs) with the “Schrems II” Judgement in relation to transfers of personal data to third countries, and in particular, the United States. The goal is that ongoing and future international transfers are carried out in accordance with EU data protection law.
It is in this context that the EDPS has developed an action plan to streamline compliance and enforcement measures, distinguishing between short-term and medium-term compliance actions.
As the Strategy continues to be implemented, the EDPS strongly encourages EUIs to avoid transfers of personal data towards the United States for new processing operations or new contracts with service providers.”
To read more: Click here
ICO fines Marriott International Inc £18.4million for failing to keep customers’ personal data secure
[#ICO #GDPRFines #DataBreach #TechnicalAndOrganisationalMeasures] “The ICO has fined Marriott International Inc £18.4million for failing to keep millions of customers’ personal data secure.
Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.
The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).”
To read more: Click here
Follow Us On Social Networks