Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, United Kingdom.
As 25 May 2018 approached, many organisations faced these new European privacy rules with increasing concern. One of the main reasons for this was undoubtedly the extremely high fines that can be imposed for breaches of the GDPR: the majority of infringements can be punished by a fine of up to EUR 20 million or 4% of total worldwide annual turnover for the previous financial year (the higher of the two). The level of fine imposed will depend on an assessment by the national data protection authority (DPA) of mitigating or aggravating circumstances listed in the GDPR including the nature, seriousness and duration of the infringement, whether the data involved was sensitive and any previous breaches.
A year on, with the first wave of decisions and fines now issued by a number of DPAs and investigations ongoing in others, it is interesting to examine the initial effects of the GDPR in the EU. Has it managed to enhance protection for people’s privacy? Did the concern expressed at its potential impact turn out to be justified? Are different trends emerging in different EU countries? These and other questions are discussed below, on a country-by-country level.
In Austria, first breaches of the GDPR can basically only be sanctioned by a warning; the Austrian DPA imposes fines from the second breach onwards.
So far three fines have been imposed by the Austrian DPA, all of which involved illegal video surveillance. The fines ranged from EUR 300 to 4800.
The Austrian Data Protection Act (Datenschutzgesetz 2000, ‘DSG’) has made use of the scope for making separate rules in Article 88 of the GDPR. Section 11 DSG (based on which the penalty provisions of Article 83 (2) to (6) GDPR are applied) was amended in such a way to ensure proportionality is maintained. Hence, particularly in the case of first-time infringements, the DPA will make use of its remedial powers in accordance with Article 58 of the GDPR, that is, by issuing a warning.
During the past year Austria has imposed very few fines. The DPA judgments issued since the new GDPR legislation came into effect have mainly concerned first findings of infringements and associated warnings. As far as can be anticipated, the DPA seems to stick to the approach described above, issuing a warning for first-time infringements. So far, the DPA seems not to have judged a breach of data protection to be severe enough to oblige it to impose fines right away.
One of the most recent DPA decisions from December 2018 shows an interesting trend regarding the definition of ‘the data subject’s right to deletion of data’ and whether anonymising by removing individual personal references to a person already satisfies the data subject’s righto deletion of data.
The Austrian DPA ruled that the data controllers (and not data subjects) have the right to choose the appropriate technical and/or organisational security measures for the retention of data and that the removal of individual references is, in principle, a legitimate way to comply with a request for deletion, since the GDPR does not apply to data without personal references (i.e. to anonymised information).
Birgit Vogt-Majarek, and Karoline Saak, Schima Mayer Starlinger
The Belgian DPA has taken the time to inform the public of the consequences of the GDPR. It has confirmed that in the first half year of GDPR application, not a single fine was issued, although it has noted that some investigations are already ongoing.
The Belgian Act on the protection of physical persons with regard to the processing of personal data (‘Data Protection Act’) came into effect on 5 September 2018. Under the Data Protection Act, employers from the private sector will, in principle, not be able to retain an extract from the criminal records of employees or job applicants, unless one of the exceptions applies. Nevertheless, the DPA has indicated in the past that where an exception does not apply, the employer can ask a candidate to show an extract from his or her criminal records voluntarily, but the employer cannot take a copy, take notes from it or retain it.
There is no case law on the GDPR in an HR context yet. However, many questions have arisen, such as the use of photos of employees and biometric data. The Belgian DPA has confirmed that in principle, the processing of such data requires the employees’ consent.
The question of the admissibility of evidence obtained in breach of an employee’s privacy has been examined by Belgian case law: the Supreme Court has limited the situations in which such irregularly obtained evidence must be excluded. We are now waiting to find out whether or not the GDPR will influence this case law.
Inger Verhelst, and Isabelle De Somviele, Claeys & Engels
One year after the entry into application of the GDPR, the Bulgarian Commission on Personal Data Protection (the ‘Commission’) has taken a rather mild approach to enforcement. The Commission’s most common enforcement practices include issuing warnings, official reprimands, and orders for bringing processing activities into compliance with the GDPR. In a few isolated cases, particularly where the personal data controller at fault has been especially non-cooperative, they have issued fines in the range of EUR 500 – 5,000, mostly for processing personal data without a sufficient legal basis under Article 6 of the GDPR. Proceedings before the Commission have usually been initiated on the basis of data subjects’ complaints.
Other than enforcement, the Commission has been preoccupied with issuing various statements on the GDPR’s application, conducting training, participating in conferences, and otherwise raising awareness on the new legal framework.
On the subject of legislation, the Commission took a significant role with respect to the amendments to the Bulgarian Personal Data Protection Act, promulgated in February 2019. Furthermore, in view of the general provisions of Article 32 GDPR on the required level of security, the Commission revoked Ordinance 1/2013 on the minimal level of technical and organisational measures and the permissible type of personal data protection, which used to impose specific obligations at a local level for Bulgarian controllers.
As of May 2019, the Commission has not issued any official statistics or estimates on the level of compliance of businesses and administrative bodies with the GDPR.
Deyan Terziev, Boyanov & Co
The Croatian data protection authority (AZOP) has been among the most benevolent regulators in the EU. It has always concentrated on providing guidance and recommendations for compliance. Since the GDPR entered into effect, it has started conducting investigations, mainly in response to reports.
The AZOP publicised instructions on reporting data breaches along with a preferred reporting form. However, there is no publicly available information on any significant data breaches in Croatia or any fines imposed by the AZOP.
The General Data Protection Regulation Implementation Act was published in the Official Gazette No. 42/18. It contains additional restrictive provisions on the processing of genetic data and biometric data, as well as video surveillance, including in the workplace. For instance, in addition to the fines prescribed in the GDPR, a controller or a processor may be fined up to approximately EUR 6,730 for violating the provisions of the GDPR Implementation Act restricting video surveillance.
The national Labour Act and Work Safety Act also contain additional provisions on processing employee personal data, including on video surveillance. These provisions of the Labour Act predate the GDPR, but no amendments have been announced.
Different sector-specific laws and regulations also require certain categories of data about particular categories of data subjects to be stored or archived for maximum or minimum statutory periods.
In addition to the processing operations listed in Article 35(3) GDPR, the AZOP rendered a decision on processing operations requiring a data protection impact assessment (DPIA). The so-called ‘blacklist’ contains 13 types of processing which automatically require a DPIA.
There is no registration fee with the AZOP for controllers or processors. However, the AZOP will charge ‘commercial entities’ (such as law firms or consultants) for its opinions Data subjects, data protection officers, journalists, and public bodies are generally exempted from the fee, but the AZOP can charge a reasonable fee, depending on administrative costs or for unfounded, disproportionate, or excessively frequent requests.
The GDPR Implementation Act allows for so-called ‘class actions’ by non-profit organisations or associations acting in the public interest, protecting the rights and freedoms of data subjects.
GDPR is still causing confusion in the business sector. Although there is a general awareness of the GDPR and certain compliance requirements, our impression is that a significant share of the business and public sectors is not yet compliant, at least partially.
The AZOP has held numerous awareness events and presentations, particularly in 2018, while in 2019, it has published a number of opinions, recommendations and guidelines on the application of the GDPR. The most interesting and controversial topics include consent, the processing of children’s personal data, and processing in a marketing context.
Olena Manuilenko, Divjak Topić & Bahtijarević Law Firm
The Cyprus DPA has announced and started drastic inspections and audits in the public and private sectors but its aim is to give guidance and not to impose high fines, except for very serious issues or breaches.
From 25 May 2018 until the end of 2018, the Cyprus DPA received 281 complaints. It has been notified about 32 personal data breaches and issued four decisions with fines up to EUR 11,500. In the DPA co-operation system, 255 cross-border cases have been registered for which two decisions have been issued. The Cyprus DPA has stressed that it is within its tasks and powers to carry out inspections to monitor and enforce compliance.
Some recent decisions issued by the Cyprus DPA (February to April 2019) include a EUR 4,000 fine on an insurance company for unsolicited SMS advertising after eight complaints. In a similar case, a media company that published and processed personal data in breach of the GDPR was fined EUR 3.000 following five complaints.
On 31 July 2018 ‘Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018’ (Law 125(I)/2018) was published in the official gazette of the Cyprus Republic. The Law was adopted for effective implementation of the GDPR. Upon its entry into force, the previous national law on processing of personal data was repealed.
In Cyprus, the right to privacy is vested in the Constitution and is afforded the highest protection. The GDPR has strengthened the legal regime around privacy even further. Its entry into force has enhanced the previous legal privacy framework, but more importantly have raised awareness and managed to put compliance onto the agendas of board meetings, influencing workplace policies and procedures and employers’ attitude to employees’ rights and privacy.
The Cyprus DPA has issued opinions and guidelines on video surveillance at the workplace and the use of biometric systems, access to employees’ and former employees’ email and general guidance on monitoring in the workplace.
Exercising its power under Article 58(3)(b) of the GDPR, it has recently issued an opinion regarding workplace email monitoring, emphasising that the employer should ensure that work-related emails are also accessible from other sources. In addition, the employer could offer employees the option to have two email accounts, clarifying the distinction between emails for professional and private use, and reducing the likelihood of the employers violating employees’ privacy.
Doria Papanicolaou, George Z. Georgiou & Associates
In the Czech Republic, there have not yet been any GDPR related court cases and only a few resolutions of the Office for Personal Data Protection (the ‘Office’) on breaches of GDPR. This is because the implementation law only became effective from 24 April 2019 and until that time the Office only issued warnings or recommendations. We nevertheless believe that the Office’s approach will be similar both in terms of sanctions and assessment of specific data privacy related situations to that adopted while the previous legal regulation was in force. Before GDPR, the Office did not fine employers for mistakes in data privacy documentation or processes or imposed very low fines (most were between EUR 100 and 1,000).
The Act on Personal Data Processing (‘Zákon o zpracování osobních údajů’) has been in effect from 24 April 2019. It does not include any specific employment law-related provisions. Therefore, employers, as data controllers, must comply mainly with the provisions of the GDPR and the Labour Code, which regulates monitoring of employees and recruitment rules. The new Act only contains minor exceptions, such as an amendment to the obligation of the controller to notify a data subject of a personal data breach or the exemption from the duty to perform a data protection impact assessment (DPIA) if the duty to process the personal data is stipulated by law.
The volume of GDPR-related information useful for employers currently available is substantially larger than what we had in May 2018. The Office for Personal Data Protection has published quite a lot of guides on the GDPR and issued several useful statements focused on specific matters, such as marketing, biometrics, employee’s consent, use of employee’s photos, the need to prepare a DPIA and more. The majority of employers are still dealing with GDPR-related problems and quite a number of them have not yet provided the relevant GDPR documentation to employees.
Irena Lišková, Randl Partners
Even before 25 May 2018, it was clear that the Danish DPA would not impose large-scale GDPR fines from the beginning. Danish constitutional law means the Danish DPA cannot issue GDPR fines until the Danish courts have established an adequate level for fines for the various types of breach of the GDPR.
In its 2018 annual report, the Danish DPA announced it had received 2,780 notifications of data breaches. Approximately 900 of these cases had been closed, approximately 700 cases were pending and approximately 600 cases were being re-evaluated due to the number of notifications of data breaches involving certain data controllers. 55 cases have been deemed so serious that they have been subject to fast track processing. The Danish DPA further stated that the remaining cases were being classified to ensure uniform processing. Some of the cases that were closed resulted in orders to the data controller.
There are still a number of cases pending. In a few cases on this issue where we have assisted clients, the Danish DPA has confirmed, however, that our client would not be reported to the police even though the case was still pending.
So far, a Danish therapy portal has been reported to the police by the Danish DPA after one user was able to access confidential and private correspondence between other users and their therapists.
Further, the Danish DPA has referred a case to the Danish Prosecution Service for the purpose of the Danish courts prosecuting the company in question. Following an inspection visit at a Danish taxi company, the Danish DPA found that the taxi company had stored personal data (mainly phone numbers) from approximately 9 million taxi rides without a legitimate reason.
The Danish DPA has suggested a fine of DKK 1.2 million (approximately EUR 161,000) be imposed on the taxi company, so even though no GDPR fines have been issued in Denmark yet, we still believe that we will experience a significant increase in the level of sanctions as predicted when the GDPR came into force.
We have not yet seen any final decisions in cases concerning processing of employee data or other labour market-related issues. We do, however, see a significant increase in the awareness from employees and trade unions on employees’ rights with regard to personal data. By way of example, we have assisted a number of clients in handling requests on the right of access to personal data from (former) employees.
Søren Skjerbek, Norrbom Vinding
In Finland, the GDPR is supplemented with a new Data Protection Act that entered into force on 1 January 2019. The Finnish Data Protection Ombudsman officially became a supervisory authority with the adoption of this new Act. Due to the Act’s late entry into force, the Finnish supervisory authority has, however, had rather limited scope to exercise its powers under the GDPR.
The number of new cases brought increased significantly after the GDPR became applicable in May 2018. The Data Protection Ombudsman has received almost three times more complaints and notifications last year compared to the previous years. One third are data breach notifications. Due to the delay with implementing the new Act and lack of resources, only some of these cases have led to further action by the supervisory authority.
The new Act enables the supervisory authority, together with other members of the new collegial body introduced by the Act, to impose fines. This collegial body consists of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen. These Deputies were appointed by the Finnish government as late as 1 May this year, explaining why no fines has yet been imposed in Finland. Furthermore, the Data Protection Ombudsman has emphasised in his public appearances that corrective measures other than fines can often be a more effective response to failures to comply with data protection legislation. In addition, the Data Protection Ombudsman has underlined the importance of harmonisation when interpreting and applying the GDPR in the EU, meaning that the future practice of the European Data Protection Board is expected to significantly impact on the Data Protection Ombudsman’s actions.
Finnish legislation has been revised in the light of the GDPR. In addition to the new Data Protection Act, the GDPR is supplemented with the Act on the Protection of Privacy in Working Life, which has recently been amended. The amendments to this Act were minor and mainly technical: the strict protection of employee privacy and more detailed national rules remain central in Finland even in the GDPR era. The Act maintains national requirements and restrictions in matters such as background checks on job applicants, drug testing, employee monitoring, accessing employee emails, retention of employee health data, and on cooperation procedures necessary when implementing new data protection practices. Furthermore, the employer is, in principle, entitled to collect employee's personal data only from that employee him or herself. Collection of data from other sources requires an explicit legal basis or the employee’s consent. In practice, this recently enforced interpretation has made implementation of whistleblowing systems in Finland more complicated than in other jurisdictions.
Jukka Lång, and Anni-Maria Taka, Dittmar & Indrenius
The French Data Protection Authority (‘CNIL’) imposed a huge GDPR fine on Google LLC (EUR 50 million) on 21 January 2019, based on a lack of information and transparency for users. It took into account the large volume of data and number of individuals involved in this violation of privacy.
In general, the CNIL has not yet imposed fines as vigorously and as widely as many people feared: it started first and foremost by providing information, guidelines, e-learning training and various tools about the GDPR on its website. Also, smaller companies are being treated with more leniency.
Nevertheless, the CNIL has already imposed fines on Bouygues Telecom (EUR 250,000), Uber (EUR 400.000), Dailymotion (EUR 50.000) and Optical Center (EUR 250.000), all relating to a lack of technical measures securing client data.
Complaints to the CNIL have increased by 32.5% compared with 2017 and relate to requests to erase data on the Internet, but also complaints regarding inadequate security for personal data in the marketing and business, human resources, banking and health and social services sectors.
Despite its aim of ending the fragmentation of rules within the EU, the GDPR still allows the possibility for each EU member state to set its own, or further, rules on a number of subjects. France decided to implement the GDPR by staying as close as possible to the text of the GDPR and by updating its current data protection legislation, which dates back as far as 1978. A law dated 20 June 2018 and an order (‘ordonnance’) dated 12. December 2018 integrated some European provisions on criminal data into French legislation.
The GDPR is slowly gaining attention in labour law but it is too early to cite case law relating to privacy issues covered by the GDPR in the context of employment.
Nevertheless, issues around data protection arise more and more frequently in organisations, for example, data subject access requests. Some employees ask for a copy of their personal data, as a possible preliminary to litigation, notably in cases of termination of employment. Unions and staff representatives are more aware of the issues and question employers regarding the implementation of the GDPR.
Some IT and HR departments have already been confronted with breaches in the security system for personal data, which have forced them to communicate swiftly with the CNIL and with potentially affected employees.
Multinational companies with French subsidiaries have also had to re-think the volume and the level of detail of (local) personal data that they ask to be transferred to their headquarters, especially outside the European Union.
Anne-Laure Périès, Capstan
According to a recently published article, the German DPAs have issued 75 fines since the GDPR was implemented, based on the authorities’ answers to this research. The total amount of all fines imposed, based on these answers, was only EUR 449,000, the largest single fine being EUR 80,000. By way of background information, in Germany, the DPAs are organised on a German state level. Not all 16 Authorities had responded to the questions during this research.
The German legislator has passed a set of national implementation rules that was implemented as the same time as the GDPR. This German statute (‘Bundesdatenschutzgesetz’) includes a specific rule on the processing of employee data, which is for the most part based on previous German data protection legislation.
The GDPR received a huge amount of attention in Germany, especially around the time of implementation before and after May 2018. This included interest in the impact of the GDPR in employment relationships. Now that ‘GDPR preparation’ has been completed by most employers, an increasing number of new practical issues are emerging, such as how to handle data subject access requests (DSARs) or how to manage a very detailed list of data retention or deletion periods.
Regarding DSARs, a recent lower court verdict against German car manufacturer Daimler has received a lot of attention in the employment law community. The action is now pending before the highest German Labour Court, Bundesarbeitsgericht. In proceedings relating to a termination, the plaintiff, a lawyer himself, demanded to be provided with information about all data collated about his performance and behaviour and about the origin of this data. While DSARs are generally granted by the GDPR, the parties are now debating to what extent DSARs are limited by third party rights such as the privacy of other employees included in correspondence, and to what extent DSARs are limited by practical considerations, to avoid an obligation to provide bottomless amounts of information.
Jessica Jacobi, KLIEMT.Arbeitsrecht
So far, the Greek Data Protection Authority (HDPA) has mainly opted to raise awareness, providing information, guidelines and consultations and taking on an important role as an interpreter of data protection law provisions. It has, however, also taken some significant enforcement measures. It has imposed EUR 150,000 fines on mobile phone operators for making unsolicited calls, a EUR 30,000 fine on a group of companies in the petroleum industry for unlawful processing and failure to comply with the required organizational and technical measures, among others.
Some other notable decisions include its ruling that Uber is an information society service, falling within the scope of GDPR and its decision regarding the right to erasure, forcing Google to comply with data subjects’ requests, which the company had initially rejected, as well as imposing fines for breaching surveillance provisions.
In total, the HDPA has handled 66 data breach notifications in the first six months following implementation of the GDPR.
National legislation to implement the GDPR is still pending. The relevant bill was open to consultation and is expected to be finalised in the coming months.
GDPR is gaining attention in several law areas including labour law. Meanwhile HDPA activity has increased. The organisation chart has been updated to align with the post-GDPR era and controllers are currently being recruited, leading potentially to an increase of monitoring and enforcement measures. Recently, the HDPA published a list of the kind of processing operations subject to the requirement for a data protection impact assessment pursuant to Article 35(4) of the GDPR.
Greek courts have already dealt with a number of GDPR-related issues, such as notification requirements for the transfer of personal data to be used within the framework of employment litigation, compensation for unlawful transfer of personal data, valid consent issues and surveillance of employees.
Dimitrios Kremalis, Kremalis Law Firm
Several companies involved in Hungarian Data Protection Authority (NAIH) procedures have been fined. The usual amount of the fine is between HUF 500,000 and HUF 1 million, (approximately EUR 1500 and EUR 3000).
In one of its most relevant recent decisions, the NAIH imposed a fine of HUF 1 million on a company with a turnover of HUF 15 million, which it considered a symbolic amount, for not restricting and issuing copies of camera recordings, despite a request from a data subject. The data subject wanted to use the recordings as evidence in legal proceedings, as stated in the request. The company justified its decision on several grounds, including the fact that the data subject did not indicate how deleting the recording would infringe his or her legitimate interest, and in connection with what legal proceedings he or she made the request (although required to do so under Hungarian law).
According to NAIH, the company violated the data subject's right to restrict data processing. Under Article 18 (1) (c) of the GDPR, it is sufficient for the data subject to argue that restricting processing is necessary for the submission and enforcement of legal claims. There is no need to justify the right and the legitimate interest further than that. The conflicting Hungarian legal provision has been amended by the GDPR implementation law mentioned below.
In addition, the company failed to inform the data subject about the reasons for its decision and the legal remedies available to the data subject.
In imposing the fine, the authority assessed the nature of the infringement as an aggravating circumstance, as it violated the applicant's rights. The refusal of the request also led to the deletion of the recordings, which cannot be restored. It was a mitigating circumstance that the company committed the infringement for the first time, and also that the conflicting national legal provision. was still in force, which could have misled the company in its decision to deny the data subject’s request.
Hungary has implemented the GDPR without significant changes. The implementation act came into force on 26 April 2019. The aim of the amendments is the harmonisation of sectoral laws in order to apply the GDPR. The GDPR implementation act amends 86 acts to comply with the GDPR, including the Labour Code. As a result, employees’ documents, the processing of the criminal records and the agreements relating to the use of work-related IT equipment must be reviewed.
Experience has shown that the NAIH is active; several proceedings have been initiated checking the data processing practices of operators and assessing compliance.
Nóra Óváry-Papp, CLV Partners
GDPR was implemented in Ireland through the Data Protection Act 2018. The Irish Data Protection Commission (DPC) has taken a proactive approach in respect of its various functions and including running a number of awareness campaigns in the lead up to May 25 2018. The DPC has opened inquiries into data-processing activities of Facebook, Apple, Twitter, LinkedIn, WhatsApp, Google and Instagram into issues such as large-scale data breaches, legal bases for processing and transparent presentation to users. It has not issued any fines under GDPR to date but that is not expected to remain the position indefinitely.
Between 25 May and 31 December 2018, the DPC received 3,687 data-breach notifications, of which 3,542 cases (96%) were classified as valid data protection breaches: an increase of 27% compared with the number of breaches reported in 2017. The largest number of breaches (85%) were because of unauthorised disclosure.
In January 2019, the DPC launched a large-scale public consultation on the Processing of Children’s Personal Data and the Rights of Children as Data Subjects under the GDPR. The DPC intends to use the responses to produce guidance materials for children and young people, and for organisations that process personal data of children and young people.
The DPC’s budget has increased significantly in recent years and the number of staff is due to increase further this year to meet the increased workloads.
Linda Hynes, Lewis Silkin Ireland
At the moment we have no news regarding fines issued by the Italian DPA (‘Garante Privacy’) based on the GDPR. Debate was wide-ranging over the past year and the DPA issued guidelines and information; however, there have been few investigations or actual breach procedures. This is due to a number of factors. By way of example we can list:
The legislator decided not to repeal the previously applicable privacy legislation (Legislative Decree no. 196/2003, the so-called ‘Privacy Code’) and rules but to amend them and make them compliant with the GDPR to create a new legal framework. Decree no. 101 August 10 2018 modified the Privacy Code and required a series of actions from the Italian DPA (e.g. the amendment of the previous general authorisations or the introduction of specific codes of conduct and guidelines).
The current initial situation of legal review is expected to change in the near future: the period of ‘first application’ of the GDPR recently ended and it is possible that the DPA will begin new initiatives, including inspections. In addition, two relevant regulations regarding the Italian DPA were recently published and came into force: these regulations give the DPA itself a new structure and define new administrative procedures to be observed, related deadlines and areas of expertise. The system may now be ready for the next step.
Paola Pucci, Toffoletto De Luca Tamajo e Soci
The Latvian DPA did not impose many penalties during the first year of GDPR application. The biggest publicly announced penalty was only EUR 2000, which is even smaller than the penalties imposed before the GDPR started to apply a year ago. There are several reasons for this: the DPA announced that in the first year it would be devoted to consulting to ensure appropriate implementation of the GDPR. The DPA was also overloaded due to a record number of complaints. Additionally, historically, the activity of the DPA regarding penalties has been variable: if one year has been productive in terms of penalties, the next has usually been less active.
Data controllers also started reporting personal data breaches but many of these cases did not qualify to be reported under the GDPR. Thus, many controllers choose an overly cautious reporting strategy.
Latvia has adopted a local ‘Personal Data Processing Law’. The Law does not repeat the provisions of the GDPR; instead it sets out provisions regarding the DPA, data protection officers, certification mechanisms, exceptions for data subjects’ rights as well as some specific personal data processing cases (such as children’s person data, video surveillance and logs). Still many data protection provisions can be found in other legislation related to other specific areas of law (such and litigation, patients’ rights, accounting, tax and many others).
There are several trends related to implementation of the GDPR. The most widespread one relates to dealing with the data subjects’ requests: while ensuring access rights is a good test for reviewing a controller’s data processing activities, the ‘right to be forgotten’ can be a reason for a further litigation. Moreover, companies have started paying more attention to security measures tailored specifically for personal data. Finally, GDPR-related questions have become an important part of M&A deals.
Anna Vladimirova-Krjukova, COBALT
On 16 May 2019, the first fine for a breach of the GDPR imposed by the Lithuanian State Data Protection Inspectorate was announced. A fine of EUR 61,500 was imposed on the electronic money institution MisterTango. The investigation proved that the company had breached three GDPR articles: the data minimisation principle, lack of security measures and failure to inform the DPA about a data security incident.
The company denies the alleged violations, specifically the failure to notify the DPA, stating that the obligation to notify was not breached, as the personal data incident was unlikely to result in risk to the rights and freedoms of individuals. It was reported that the data incident lasted two days, during which approximately 50 clients’ data was freely accessible from outside the company. However, according to the company no actual data leakage occurred. Nevertheless the DPA decided that it should have been notified. The company intends to appeal the decision to the national courts.
On 16 July 2018 the Law on Legal Protection of Personal Data was adopted. This law provides some basic rules for the use of individuals’ personal codes (national ID numbers) and for processing employee personal data. For example, it provides that it is forbidden to process candidate’s criminal record unless specifically prescribed by laws. In addition, the Lithuanian DPA has adopted an order specifying the data processing operations that require a privacy impact assessment. They include, for example, cases when telephone conversations are recorded, CCTV monitoring of public spaces occurs and when children’s data is processed for direct marketing purposes.
The GDPR is getting a lot of attention in the Lithuanian media, especially the interest can be observed among the business communities in the larger Lithuanian cities. In comparison, GDPR compliance in smaller towns as well as state and governmental institutions is still not adequate. Nevertheless, the Lithuanian DPA is quite active and supportive. In January a list of planned inspections was made public announcing the names of 75 organisations that will face GDPR compliance inspections in 2019. After the investigations are completed, DPA usually provides its recommendations regarding the most common compliance failures.
Renata Vasiliauskienė, COBALT
In Luxembourg, the GDPR was implemented by the Law of 1 August 2018 on the organisation of Luxembourg’s National Commission for Data Protection (‘Commission Nationale pour la Protection des Données’, CNPD) and the general system for protecting data (the ‘Law’). The Law came into force on 20 August 2018.
The Law modifies article L. 261-1 of the Labour Code concerning the monitoring of employees by the employer.
The main changes are set out below.
An employer can process personal data to monitor employees (if it is the responsible party) in the circumstances described in Article 6(1) of the GDPR. This extends the scope of such processing: the old legislation only allowed employers to use a monitoring system in the workplace in five limited circumstances, listed in the Labour Code. The employer also no longer has to secure the prior authorisation of the CNPD.
The employer is still obliged to inform the person in question, as well as the staff delegation or, failing that, the Inspectorate of Labour and Mines in advance of any processing of personal data to monitor employees’ activities.
The Law now specifies what this prior notice should include: a detailed description of the purpose of the planned processing, the process for implementing the monitoring system and, if applicable, the duration and criteria for storing the data as well as a formal commitment by the employer not to use the data collected for any purpose other than the one specifically defined in the notice.
When the employer plans to process data in order to monitor employees, the staff delegation, or failing this the employees concerned, can submit a request for an advance compliance opinion to the CNPD within 15 days of receipt of the notice. The CNPD will have to provide its opinion within a month of the request. The request for an advance compliance opinion has a suspensive effect, meaning the planned monitoring cannot be implemented until the CNPD has given its opinion.
Data processing for monitoring for employee health and safety reasons purposes, for temporarily monitoring the employee’s production or services when this is the only way to determine an exact salary, or for organising work on a flexitime basis is still subject to the co-decision system in accordance with the Labour Code, unless the processing is to fulfil a legal or regulatory obligation.
Since the GDPR and the Law entered into force, the CNPD has received many notifications of data breaches, however no major fines have been imposed yet.
Noémie Haller, Castegnaro
The Dutch Data Protection Authority has not yet imposed GDPR fines as vigorously as many people feared: it started first and foremost by providing information, guidelines and tools about the GDPR on the website.
Only one fine has been imposed: Uber was fined EUR 600,000 for breaching the reporting obligation for data breaches. This data breach took place at the Uber Group in 2016 (since 2016 there was already an obligation to report data breaches in the Netherlands, but with much lower penalties): unauthorised individuals were given access to customers’ and drivers’ personal data (names, email addresses and phone numbers). The Uber group was fined because it did not inform the DPA and the data subjects involved within 72 hours following the discovery of the data breach.
Despite its aim of ending the fragmentation of rules within the EU, the GDPR still allows the possibility for each EU member state to set its own, or further, rules on a number of subjects. The Netherlands decided to implement the GDPR in a ‘policy-neutral’ manner, meaning the Dutch implementation act (‘Uitvoeringswet AVG’) stays as close as possible to the text of the GDPR. More specifically, the Dutch implementation act has not made use of the possibility to introduce separate rules for processing of employees’ personal data. The implementation act applied from 25 May 2018.
The GDPR is slowly gaining attention in labour law. Dutch case law has seen examples in the past year of issues relating, for example, to data subject access requests or privacy claims after negative references from a former employer. The question of the admissibility of evidence obtained in breach of an employee’s privacy has also been examined: based on Dutch case law, even if it is established that evidence used, for example, in a dismissal case was obtained unlawfully by the party relying on it, the court is not generally required to disregard it. The general social interest in the truth coming to light plus the parties’ interest in being able to support their case, outweigh the arguments for excluding such evidence unless additional circumstances indicate otherwise.
Philip Nabben, Bronsgeest Deur
The Polish DPA has imposed two GDPR fines so far. The first, of PLN 943,000 (approximately EUR 218,803), was imposed on an entity that processed the data of 6 million data subjects, but only 90,000 of them were informed about it. The second fine was imposed (only a few days ago) on a sports association for failing to delete judges' data effectively. A penalty of PLN 55,000 (approximately EUR 12,762) was imposed.
Last year was also unique in terms of number of reported complaints and breach notifications. According to figures gathered by the Panoptykon Foundation, from 25 May 2018 to 28 February 2019, 5651 complaints were filed in Poland. Additionally, 3189 data breach notifications have been submitted to the DPA.
Although the main result of entry into force of GDPR was the introduction of a completely new Act on the protection of personal data in Poland, amendments to the Polish Labour Code introduced even more significant changes in the field of the employment market and practice. Firstly, specific provisions regarding monitoring in workplace are now in force and this monitoring is allowed only in certain situations. In addition, a list of employees’ and job candidates’ personal data which can be processed by employers has been established. There is a list of data that ‘must’ be requested by employers and provided by candidates and employees. Additionally, new provisions expressly allow employers to collect other personal data on the basis of the job candidates’ or employees’ consent. However, any special categories of data can only be processed based on consent if provided by the job candidate or employee at their own initiative. Employee biometric data processing is also possible if it is necessary to control access to particularly sensitive information, the disclosure of which may expose the employer to damage, or access to premises requiring special protection.
Recently GDPR-related issues have dominated the labour law market. The DPA has issued a handbook for employers with answers to frequently asked questions. One hot topic is undoubtedly the scope and retention of data collected during recruitment. And yet, the appropriate duration of retention is unclear, since the opinions of the DPA and Polish Ministry of Digital Affairs differ. Close scrutiny of practical developments will be essential in this field.
Lastly, video monitoring is expected to become one of the main issues in 2019. The DPA has announced that its activity will focus on this area. In parallel, these types of cases (related to the legality of video monitoring or the legal basis of employee data processing) are slowly starting to be reviewed by the courts.
Edyta Jagiełło, Raczkowski
During the first year of GDPR enforcement, the Portuguese DPA imposed four fines as a consequence of data privacy breaches.
In 2018, a fine amounting to EUR 400,000 was issued as result of indiscriminate access from hospital staff to patients’ data and the data processor’s inability (hospital) to ensure the confidentiality, integrity and resilience of the system and processing services. The DPA considered that the hospital was severely at fault in its actions.
Minor fines were imposed during the course of 2019. A fine of EUR 20,000 was imposed on a call centre’s client (the data controller). The call centre did not provide a customer with records of phone calls after being requested by the latter to do so. The other fines of EUR 2.000,00 each were imposed as result of the lack of warning in cases of video surveillance.
Up to February 2019, more than 200 complaints were notified to the Portuguese DPA. Considering the number of complaints and the four fines already publicised, there is clear a lack of means and responsiveness from the Portuguese DPA (a fact that is also recognised by the Authority).
The Portuguese Government has not approved any national legislation aiming at adapting the GDPR. This delay is related to the negative opinion issued by the Portuguese DPA regarding the draft law that was published last year and subject to public consultation. We anticipate a national law will be approved in the coming months.
Data privacy concerns are common in employment relations and courts are slowly being asked to decide cases involving privacy issues. The GDPR focussed the attention of companies on privacy matters and after the initial stress of its entry into force the litigation environment is currently calm.
There is significant interest and anticipation regarding the proposed Portuguese national law on data protection and how the DPA will conduct its future inspection mission.
Bruno Barbosa, pbbr
Slovakia is still waiting for the first fine for failure to comply with the GDPR. Notwithstanding, the Slovak DPA is not afraid to impose fines of up to EUR 5,000 for refusal to cooperate during inspections to ‘motivate’ the organisations under inspection to provide the requested documents and information.
The reason for this is that the Slovak DPA is overloaded with thousands of complaints brought by the individuals, who in many cases are not even the data subjects, whose rights could have been violated. This means the inspections take months and data controllers are nervous of whether they are fully compliant or will be fined.
Despite the fact that the GDPR is effective EU-wide, Slovakia has adopted its own legislation, which came into force on the same day as the GDPR. The local law does not deviate from the official text of the GDPR, except the parts regulating the activities of the Slovak DPA. So far, the interpretations of the GDPR made by the local authority are in line with the guidelines issued by the European Data Protection Board.
Slovak employers were quite well prepared for the GDPR. HR departments took the opportunity to revise HR documentation to meet the GDPR requirements, and if necessary, to update it in other areas as well. One year later we note that most employers have implemented the GDPR, or have at least tried to. One positive observation is that after identifying any inconsistency with the GDPR, they are willing to fix it very fast.
The Slovak courts are also well prepared to apply the European case law when dealing with an employee privacy breach and monitoring employees´ work activities. Moreover, the Supreme Court has opined that such case law also applies to the privacy breaches that occurred prior to the relevant EU case law. This means employers are forced not only to keep up with recent EU case law but also to establish a careful balance between their right of control and employees’ privacy rights to avoid any future claims.
Danica Valentová, Nitschneider & Partners
Slovenia is one of the EU member states that has not yet completed the process of implementing the GDPR into national legislation. The legislative procedure for the adoption of the new Personal Data Protection Act is still ongoing. Only after its adoption will there be legislation listing violations and providing a basis for sanctions under the GDPR. The Information Commissioner as the competent authority for data protection in Slovenia does not currently have the power to impose administrative fines for violations of the GDPR. Consequently, the Information Commissioner can only impose monetary fines under the currently valid Personal Data Protection Act for matters not covered by the GDPR (e.g. biometrics, direct marketing, video surveillance, database linking etc.). Inspections initiated prior to GDPR with regard to matters that are now regulated by the GDPR had to be suspended until the new Personal Data Protection Act is adopted.
The latest proposal for the new Personal Data Protection Act was published on 6 March 2019 and is currently in the public consultation phase. The main concern is that the proposed new Act may overstep the margin of discretion foreseen in the GDPR in some aspects. Therefore, it is expected that the proposal will undergo further revisions, before being adopted by the National Assembly, probably in the second half of 2019.
Observations from the Information Commissioner show there has been a significant increase in requests for access by individuals to their personal data and requests for erasure of personal data. As follows from these observations, as a result of poor differentiation between legal bases for the processing of personal data under GDPR, many businesses prefer to ‘flood’ data subjects with consent requests rather than relying on another legal basis for processing. However, on the other hand, a number of DPO’s have been nominated (more than 2,100). The Information Commissioner also notes that data subjects are quite well acquainted with their rights deriving from the GDPR. As regards the impact on HR, practice shows that regulation was also rather strict before the GDPR and therefore no major changes have had to be implemented in this respect so far.
Darja Miklavčič and Jana Šteblaj, ŠELIH & PARTNERJI Law Firm
In its 2018 annual report, the Spanish DPA admitted that a radical change of mentality is absolutely necessary to achieve adequate implementation of GDPR. According to the Spanish DPA, this is a challenge not only for responsible individuals within organisations but also for the regulator, which has been forced to provide tools and guidelines to Data Protection Officers to facilitate GDPR compliance.
Some statistics from the first year: 34,000 data protection officers were appointed, almost 5,000 GDPR consultations were conducted and over 14,000 claims received. There have been almost 1,000 notifications of data breaches (a 30% increase).
This year has served to implement a change of culture in data handling by all players; for this reason the Spanish DPA has not yet imposed GDPR fines. However, there is a relevant case under the previous regulation from March 2018, regarding two severe infractions relating to personal data. A EUR 300,000 fine was imposed on WhatsApp (for communicating data to Facebook without valid consent) and Facebook (for using it for a purpose for which consent was not given).
The Organic Law 3/2018 of 5 December, on ‘Personal Data Protection and guarantee of Digital Rights’ gave rise to new articles in the Statutory Law (‘Workers´ Statute’), namely:
These new rights radically overhaul the way personal data is used and treated by employers, meaning internal policies must be drafted and followed to comply with them.
Individuals and therefore, employees are more concerned about their data and a wide range of cases have reached the courts. The proportionality principle is key when considering the legal validity of each practice.
GPS tracking installed and monitored in employees´ electronic devices is not allowed unless it is deemed adequate and necessary for a legitimate business goal, is not against any collectively agreed regulation and only after providing sufficient information on the measures to employees and their representatives, or after consulting or bargaining with them when required.
A clause in the employment contract by call centre employees consented to monitoring by webcams is valid since it was foreseen in the relevant Collective Bargaining Agreement and the employees knew about it when they were hired.
Lastly, the court disregarded evidence obtained in a breach of employees’ privacy. Two employees started a fight in the work parking area and were recorded by CCTV. Employees had not been informed of this video surveillance or its potential disciplinary use.
José Miguel Mestre Vázquez, Sagardoy Abogados
The Swedish DPA has not yet imposed any fines. However, the DPA has provided information about ongoing investigations and the following are of interest:
An incident has also been reported in media regarding a service providing medical advice to individuals by phone, called 1177. According to media reports, a million calls were publicly available on a web server. The DPA is currently investigating the companies providing this service.
Sweden decided to implement a law that complements the GDPR from the same date as the GDPR came into force. Since the purpose of the law is to compliment GDPR, it is not comprehensive. There is no separate legislation regarding processing of employees’ personal data.
The Swedish DPA has just published an integrity report including frequently asked questions from citizens and organisations. Questions concerning the lawfulness of employers’ processing of personal data are frequently asked, according to the report. The DPA has also, in its enforcement scheme, stated that employers’ monitoring of employees is one of the tasks prioritised for 2019-2020.
Sofia Lysén, Elmzell law firm
The UK’s Information Commissioner’s Office (ICO) is yet to impose a fine under the GDPR, though we understand that a fine is imminent. The most notable fine since 25 May 2018 was a fine of GBP 500,000 against Facebook (the maximum penalty under the Data Protection Act 1998).
In April 2019 the Home Office accidentally shared the email addresses of hundreds of EU citizens applying to stay in the UK after Brexit. The ICO were alerted to this incident and have said they will make an assessment, but no decision has yet been released.
Although no fines have yet been issued under the GDPR, the ICO have issued ten enforcement notices under the DPA 2018 and GDPR.
On 23 May 2018 the Data Protection Act 2018 became UK law, implementing the EU’s General Data Protection Regulation (GDPR). Some UK specific rules have been adopted, for example the ability for UK companies to process diversity data for the purposes of diversity monitoring without the consent of the data subject, and the criminal offence of deliberately failing to provide data to a data subject who has submitted a data subject access request.
The GDPR will be enacted in UK law after Brexit under section 3 of the European Union (Withdrawal) Act 2018.
Similar to other European countries, the UK has seen a rise in the number of data subject access requests submitted to data controllers, and also the number of data breaches reported to the ICO. The most commonly reported breach is a misaddressed email, rather than those breaches people typically imagine, for example systems being hacked.
Also, it is now customary to receive a data subject access request in conjunction with a grievance and a tribunal claim. Data subject access requests are used a tool for disclosure, but also as a tool to attempt to leverage more favourable terms from employers.
Steven Lorber, and Sean Illing, Lewis Silkin