After almost two years of the GDPR, the fines from the regulators are starting to pile up. Buying or merging with a company that lacks proper cybersecurity, or one that is not in compliance with the GDPR, becomes a considerable risk. For instance, Marriott was fined £99 million by the Information Commissioner's Office (ICO), which is the UK regulator, after hackers stole the guest records of the Starwood Hotels & Resorts Worldwide that it had acquired. A study by Merrill Corporation has shown that over half (55%) of practitioners surveyed across EMEA said they had worked on M&A transactions that had not progressed because of concerns around a target company's data protection and compliance with GDPR. Therefore, non - compliance with GDPR can become a serious issue for the seller.
Read moreIn a recent article in Data Protection for Practitioners, Yves Gogniat looks at IoT, wearables, smart devices and other connected devices. Under the title "Can I collect personal data through connected devices without consent?", he explores the questions to what extent the consent of the data subject is necessary for the use of connected devices and how to deal with connected devices that do not have their own interface.
The article is available here.
Read moreFashion ID operates the website of the Düsseldorf fashion house Peek & Cloppenburg and had integrated Facebook's "Like" button on the website. The Consumer Advice Centre NRW considered this to be a breach of data protection, as the integration automatically resulted in the transfer of data to Facebook. In the opinion of the consumer advice centre, the necessary consent for the transfer of data to Facebook was therefore lacking. The case is still being decided under the old data protection law, but since the term "controller" is very similar in both laws, the ruling will also be relevant under the GDPR.
The ECJ has ruled that Facebook's "Like" button was not implemented in a data protection-compliant manner and that the website operator bears joint responsibility for such plugins.
Read moreA Dutch hospital was fined because several unauthorised hospital employees accessed the electronic patient file of a prominent person (brief information in English as well as original report in Dutch).
Such incidents are unfortunately not isolated cases. In Switzerland, for example, the attempted sale of Michael Schumacher's patient file caused a stir, and in Germany, the Tugce case revealed that despite internal guidelines, an above-average number of hospital staff read Ms Tugce's patient file.
Read moreUntil now, EU Data Protection Laws have only applied to companies with a presence in the EU. The General Data Protection Regulation (GDPR) now deviates from this principle, with the consequence that the new law not only affects companies within the EU, but also countries outside of its borders. In certain situations, the GDPR is also applicable to companies (controllers) outside of the EU.
The potential cross-border applicability has left many companies outside the EU confused, and it has led to uncertainty.
Read more
Until now, EU data protection law only applied to companies that had an establishment in the EU. The General Data Protection Regulation (GDPR) now deviates from this principle, which means that the new law potentially affects not only companies in the EU. The scope of the law also covers companies outside the EU under certain conditions. In particular, Swiss companies that are often active in the EU could be affected by the GDPR.
This cross-border applicability has led to uncertainty for many companies outside the EU.
Read more