International Data Protection Committee

International Data Protection Committee established by Danish DPA

An international data protection committee has been established by the Danish DPA to protect Danish interests regarding international data protection.

 

The Danish DPA has established a special committee with the aim of giving the Authority’s stakeholders more and better insight into the international data protection work done by the Data Inspectorate. It will also serve the purpose of giving them an opportunity to contribute to this work, strengthening the safeguarding of Danish interests on an international level. This new special committee differs from the Danish DPA’s  contact committee in that its efforts will be geared specifically towards the Authority’s work regarding international affairs.

 

The International Data Protection Committee is aimed at fostering collaboration to strengthen the protection of Danish interests.

 

The GDPR is directed at pursuing a more formalized cooperation between various European Data Protection Authorities. This is paramount in ensuring harmonization in the interpretation of data protection rules throughout the EU. The Danish DPA, in an effort to protect and further Danish interests, is ensuring that European regulation is beneficial within the Danish context. This Special Committee on International Data Protection Cooperation was established to give the Danish Data Protection Authority’s stakeholders, and the Danish Data Protection Agency, a platform on which to work together and collaborate and strengthen the protection of Danish interests. 

 

This special committee will hold quarterly meetings to inform stakeholders about ongoing international cases as well as any current issues in the international arena. Committee members will have the opportunity to provide input at these meetings, as well as insight on their specific needs. The first of these meetings is scheduled to take place on January 20.

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

 

Record EU GDPR fine repealed by Amazon

Amazon has repealed the record EU GDPR fine on the basis that there was no data breach.

 

In July, we reported that Amazon was facing a possible fine for alleged GDPR violations totalling €350 million. According to this Bloomberg report, Amazon is now repealing this fine, which stands at €746 million. The CNPD, Luxembourg’s privacy watchdog hit Amazon with this record-breaking fine, claiming that it’s processing of user data was a violation of the EU GDPR. This fine is the result of a 2018 complaint from French privacy rights group La Quadrature du Net.

 

Amazon has repealed the record EU GDPR fine, claiming that there has been no data breach.

 

Amazon has disagreed with the CNPD’s findings, claiming that there has been neither a data breach, nor any customer data exposed to a third party. The world’s largest online retailer has also stated that there are guidelines as to what employees are allowed to do with customer data, which is collected in order to improve the customer experience. Some lawmakers and regulators have voiced concerns that the data collected is being used to give the company an unfair advantage in the marketplace. Amazon is being scrutinized by EU authorities over its use of data from sellers on its platform as they question whether it unfairly favors its own products.

 

The initially proposed fine of roughly 2% of Amazon’s global sales rose to the maximum fine under the EU GDPR – 4% of the company’s annual global sales.

 

Under the EU GDPR, regulators can fine companies up to 4% of their annual global sales. The fine proposed at first was roughly 2% of Amazon’s global sales at €350 million, but following the gaining of approval from other regulators in the Bloc, the fine now stands at €746 million. This fine is related to alleged compliance issues surrounding the company’s collection, storage and use of user data.

While Amazon stated that there has been no data breach, sources claim that their manner of storing user data violated the GDPR.

 

While Amazon claims that there has been no data breach, according to whistleblowers who previously worked with the company as information security officers, the manner in which data is stored on Amazon’s databases make it impossible for the company to comply with Article 17 of the GDPR. Article 17 states that data subjects have the right to request that all their personal data be erased by a data controller, and to have that request fulfilled without delay. Allegedly, data stored by Amazon is at risk, as there is a lack of clarity on what data is being stored, where it is stored and who can access it, making it impossible to fulfill the requirements of Article 17 of the EU GDPR.

 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Halifax-based company fined by the ICO

A Halifax-based company fined by the ICO was found to have been making unlawful pension calls. 

A Halifax-based company, Parker Beach LTD (PBL) has been fined by the ICO, a total of £50,000 for unlawful cold calls regarding pensions, according to this report from the ICO. The ICO’s investigation revealed that the company, which operates under the trading name “Your Pension Options”,  made calls to people regarding their pensions, looking to arrange an introduction to an advisor. These calls were unauthorized, and resulted in 16 complaints to the ICO. The company has admitted to making over 96 thousand calls. Pension cold calling was banned in 2019, specifically to protect vulnerable pensioners and their retirement funds, as cold calls are admittedly one of the more common ways of defrauding people out of pension and retirement funds. 

Pension calls have been outlawed since 2019, and are only allowed under very few, specific conditions. 

Pension calls are outlawed, unless certain conditions apply. If the caller is authorized by the Financial Conduct Authority (FCA), or is the trustee or manager of an occupational or personal pension scheme, or if the recipient has an existing relationship with the caller and has consented to calls, these calls are considered lawful. This stance was taken in 2019, making it illegal for companies to make nuisance cold calls to people regarding pensions schemes. The ICO’s Head of Investigations, Andy Curry has stated that cold calls have been a common tool in fraud, and for that reason, tough action will be taken on companies who utilize this kind of marketing. He said in a statement, “Companies are responsible for knowing the law and following it. We have a range of powers and enforcement action which we can and will take on behalf of the public to put a stop to the activities of unscrupulous companies.”

The ICO fined the company and issued an enforcement notice ordering them to make no further calls. 

In their investigation, the ICO uncovered that PBL sourced the data for its calls from a third party supplier which obtained the data itself from various websites. Signing up on the site required users to agree to possible marketing from an extensive list of organizations from various sectors. It did not appear possible that these users could select which, if any of these organizations, they would like to have their details forwarded to or from which they would like to receive marketing material. This means that PBL did not obtain clear, informed consent. As a result the company was hit with a fine for £50,000, and also an enforcement notice ordering them stop making further calls. Under the Privacy and Electronic Communications Regulations (PECR), the ICO can issue fines of up to £500,000

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

TikTok fined by Dutch DPA

TikTok fined by Dutch DPA

TikTok fined by Dutch DPA for failure to provide translated information to users

The video sharing social networking app TikTok was recently fined by the Dutch DPA, according to this report from the EDPB. Upon investigation into apps typically used by minors, it was discovered that the information provided when installing the app (including the privacy policy) was only provided in English. By failing to provide this information in Dutch, TikTok violated the rights of Dutch speaking users, by their failure to give users clear, comprehensible information on what happens with their personal data. This in and of itself is a violation of their privacy rights. TikTok has been hit with a fine for €750,000, to which the company has objected. 

TikTok, fined by the Dutch DPA, and now being investigated by the Irish DPA after establishing headquarters in Ireland. 

While this initial fine was imposed by the Dutch DPA, and rightfully so, because at the time TikTok had no headquarters in the EU, the company has since established headquarters in Ireland. The initial fine could have been imposed by any EU member state, however, any subsequent investigations must be handled by the Irish Data Protection Commission. The Dutch Data Protection Authority can only be expected to assess the privacy statement related violation, which had ended by the time headquarters had been established in Ireland. When companies have no European headquarters, any EU member states can oversee its activities, however if there are European headquarters, this responsibility would fall on the country which houses the company‘s headquarters.

TikTok has made changes to their app to make it safer for child users. 

Since last October, when the Dutch DPA submitted the results of its investigations to TikTok, certain key changes have been made to protect users under 16 while they use this app. While these changes are not entirely foolproof because children can still pretend to be older by creating their account with false information, the DPA welcomes the adjustments made by TikTok to reduce the risk for child users. Partents are now able to manage their children’s accounts through their own accounts, or through the ‘Family Pairing’ feature. This will not prevent children from putting themselves at risk by lying about their age, however it will give parents the power to monitor their children’s accounts and provide greater security to them. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.