In its recent decision of June 15, 2021, involving Facebook and the Belgium Data Protection Authority (“DPA”), the European Court of Justice (the “ECJ” or the “Court”) clarified the conditions under which the non-lead supervisory authorities may exercise their powers
The European Commission Updates the Standard Contractual Clauses for International Transfers (and Releases a New Set of Controller to Processor Clauses)
On June 4, 2021, the European Commission released two new set of contractual clauses : A set of clauses for personal data transfers from Controller to Processor within the Union as required under article 28 GDPR (C to P clauses)
NDL: Booking.com fined €475,000 for a late data breach notification
The Dutch Data Protection Authority (DPA) has imposed a €475,000 fine on Booking.com because the company reported a data breach to the DPA 22 days later instead of whithin the required 72 hours.
When the breach occurred, criminals accessed the personal data of over 4,000 customers including the payment card information of almost 300 people.
Spain (AEPD): 6M€ fine on Caixabank for unlawful data processing and insufficient information
The Spanish Data Protection Authority (AEPD) imposed a total fine of 6.000.000 EUR on CAIXABANK, S.A., for : unlawful processing of its clients’ personal data (4.000.000 EUR); and not providing sufficient information regarding the processing of personal data (2.000.000 EUR).
Schrems II – Data transfers : The Bavarian DPA Responds to Recurring Criticism by Preventing a Company from Using Mailchimps
Following the publication of its response to a data subject in a German newspapers the “Standard“, the Bavarian Data Protection Authority (DPA) took this opportunity to respond to recurring criticism and draw the attention of people on its actual enforcement