After almost two years of the GDPR, the fines from the regulators are starting to pile up. Buying or merging with a company that lacks proper cybersecurity, or one that is not in compliance with the GDPR, becomes a considerable risk. For instance, Marriott was fined £99 million by the Information Commissioner's Office (ICO), which is the UK regulator, after hackers stole the guest records of the Starwood Hotels & Resorts Worldwide that it had acquired. A study by Merrill Corporation has shown that over half (55%) of practitioners surveyed across EMEA said they had worked on M&A transactions that had not progressed because of concerns around a target company's data protection and compliance with GDPR. Therefore, non - compliance with GDPR can become a serious issue for the seller.

Data protection for connected devices

In a recent article in Data Protection for Practitioners, Yves Gogniat looks at IoT, wearables, smart devices and other connected devices. Under the title "Can I collect personal data through connected devices without consent?", he explores the questions to what extent the consent of the data subject is necessary for the use of connected devices and how to deal with connected devices that do not have their own interface.

The article is available here.

Data protectionGuest author4 November 2019Data protection, DSGVO

The ECJ has ruled on the legality of Facebook's "Like" button

Fashion ID operates the website of the Düsseldorf fashion house Peek & Cloppenburg and had integrated Facebook's "Like" button on the website. The Consumer Advice Centre NRW considered this to be a breach of data protection, as the integration automatically resulted in the transfer of data to Facebook. In the opinion of the consumer advice centre, the necessary consent for the transfer of data to Facebook was therefore lacking. The case is still being decided under the old data protection law, but since the term "controller" is very similar in both laws, the ruling will also be relevant under the GDPR.

The ECJ has ruled that Facebook's "Like" button was not implemented in a data protection-compliant manner and that the website operator bears joint responsibility for such plugins.

Data protectionGuest author30 July 2019DSGVO, data protection, social media, social network

GDPR fine for a Dutch hospital due to insufficient TOMs

A Dutch hospital was fined because several unauthorised hospital employees accessed the electronic patient file of a prominent person (brief information in English as well as original report in Dutch).

Such incidents are unfortunately not isolated cases. In Switzerland, for example, the attempted sale of Michael Schumacher's patient file caused a stir, and in Germany, the Tugce case revealed that despite internal guidelines, an above-average number of hospital staff read Ms Tugce's patient file.

Data protectionGuest author22 July 2019DSG, DSGVO, data protection

What does the General Data Protection Regulation mean for companies outside the EU?

Until now, EU Data Protection Laws have only applied to companies with a presence in the EU. The General Data Protection Regulation (GDPR) now deviates from this principle, with the consequence that the new law not only affects companies within the EU, but also countries outside of its borders. In certain situations, the GDPR is also applicable to companies (controllers) outside of the EU.

The potential cross-border applicability has left many companies outside the EU confused, and it has led to uncertainty.

Data protectionGuest author9 July 2019GDPR

When does the General Data Protection Regulation apply to companies outside the EU?

Until now, EU data protection law only applied to companies that had an establishment in the EU. The General Data Protection Regulation (GDPR) now deviates from this principle, which means that the new law potentially affects not only companies in the EU. The scope of the law also covers companies outside the EU under certain conditions. In particular, Swiss companies that are often active in the EU could be affected by the GDPR.

This cross-border applicability has led to uncertainty for many companies outside the EU.

Data protectionGuest author3 July 2019GDPR, Data Protection, International