When it comes to joint data processing, the simplest case is for the joint controllers do declare themselves as such and to set out their tasks and responsibilities in an agreement. There are, however, cases where the capacity of joint controller arises from a legal provision. In its fresh decision, the Court of Justice of the European Union answers the questions whether national law can implicitly nominate the controller or joint controllers.
Do supervisory authorities have the power to order the erasure of unlawfully processed personal data even if the data subject has not made such request? What is more important: ensuring the high level of protection required by the GDPR or respecting the data subject's private autonomy which is served by the principle of limits of action? In its fresh decision, the Court of Justice of the European Union had to answer these questions in a case related to Hungary.
I often hear from clients when we are discussing their role in relation to personal data processing that “we cannot be controllers, we do not hold and process the data, but an agent does”. This idea may seem logical at first sight, but is this indeed the case? Let’s find out from a recent judgement of the Court of Justice of the European Union, which addresses the issues of controller and joint controller status.
I often hear from clients when we are discussing their role in relation to personal data processing that “we cannot be controllers, we do not hold and process the data, but an agent does”. This idea may seem logical at first sight, but is this indeed the case? Let’s find out from a recent judgement of the Court of Justice of the European Union, which addresses the issues of controller and joint controller status.
Under the GDPR, data subjects may claim compensation if they suffered damages because the controller infringed his obligations under the GDPR. Does a data theft by cybercriminals mean that the controller has not adopted appropriate data security measures meaning that he failed to comply with his data protection obligations? Can the data subject claim compensation if his only damage is the fear that his personal data was misused? The Court of Justice of the European Union answered these questions in a fresh decision which will be analysed in this short article.
From 1 January 2024, companies operating in Hungary will face new significant cyber security related obligations under the Hungarian legislation implementing the EU NIS2 Directive. In this short article, we describe which companies will be affected by the new regulation and what are the most important tasks in the new year.
Based on the GDPR, data controllers have several obligations, such as maintaining the records of data processing or in case of joint controllers, entering into an agreement which determines their respective responsibilities for compliance with their data protection related obligations. In a recent case, the Court of Justice of the European Union (‘CJEU’) needed to decide on the issue whether the non-compliance with these obligations constitutes unlawful processing resulting in the duty to erase the personal data of the data subject.
Five years ago, probably the most common concern of companies across the European Union was to reach compliance with the General Data Protection Regulation. In the recent years, tempers have calmed down, nevertheless the application of the GDPR raises interesting legal questions from time to time. To celebrate the GDPR’s fifth birthday, we collected five landmark decisions of the Court of Justice of the European Union interpreting the GDPR that made a high impact on data controllers’ lives.
The General Data Protection Regulation (‘GDPR’) offers more types of remedies to individuals whose rights were infringed. Can those remedies be exercised parallelly, or shall the person concerned choose among them? The Court of Justice of the European Union (‘CJEU’) provides an answer to this question in its fresh decision, delivered in a Hungarian case.
The General Data Protection Regulation (‘GDPR’) offers more types of remedies to individuals whose rights were infringed. Can those remedies be exercised parallelly, or shall the person concerned choose among them? The Court of Justice of the European Union (‘CJEU’) provides an answer to this question in its fresh decision, delivered in a Hungarian case.
Since in the middle of summer 2020, the Court of Justice of the EU (CJEU) invalidated the Privacy Shield and put into question the applicability of the standard contractual clauses, we were wating for guidance from the European Data Protection Board (EDPR) how to transfer personal data to non-EEA countries in a GDPR-compliant way. Finally, the EDPB broke the silence and provided a 6-step guide which we summarize in this short article.
The recent judgement of the European Court of Justice (CJEU) invalidating the EU-US Privacy Shield raised several questions concerning international personal data transfers. Companies who normally transfer personal data to the U.S. and use U.S.-based service providers are asking themselves: are we still allowed to do this? If not, what should we do now? In this short article we will explain the judgement of the CJEU and the current situation.
The Data Protection Authority imposed the highest fine ever in Hungary against Digi Távközlési és Szolgáltató Kft. because of the infringement of the GDPR. Let’s see what led to the record fine of HUF 100 Million.
The supervisory authorities in Europe controlling compliance with the GDPR have not sat on their hands in the last couple of months. In this short article we collected five interesting cases from the recent past. The wide discretionary powers of the data protection authority is well illustrated by the fact that sometimes the GDPR fine was only EUR 2000, but in another case a company has been fined for EUR 11,5 Million! Continue reading if you would like to avoid the same or similar expensive errors.
In its recently published decision, the Hungarian Data Protection Authority (NAIH) has dealt with the questions of the usage of the corporate email account for private purposes and the monitoring of the e-mail account. As the topic can affect every employer, who provides an e-mail account for its employees for working purposes, we summarize the most important conclusions of the decision in our short article.
I suppose that you also frequently see that a pop-up window appears on the screen when you visit a webpage and informs you that the webpage uses cookies. After the entry into force of the GDPR the issue of the cookies became even more central. Recently the Court of Justice of the European Union (CJEU) has also paid special attention to the cookies. Read our short article if you are also using cookies on your webpage and would like to know how to do it right in the light of the new decision of the CJEU.
During this summer, the Hungarian Supreme Court (Curia) made a judgement in a case, where the central question was whether the monitoring of the employee’s own cell phone used for job-related purposes by the employer was lawful. Although the legal framework was slightly modified lately because of the entering into force of the GDPR, the case can offer important lessons. Read our short article if you would like to know whether you can monitor your employee’s cell phone which he uses for job related purposes.
Before the summer break the Court of Justice of the European Union made a decision in a data protection related matter which concerned Facebook as well. The decision may be interesting and useful for everybody who embeds of his website the Facebook “Like” button. In our short article we summarize the most important findings of the Court.
Operating video surveillance in a GDPR-compliant way can be a real challenge for data controllers in Hungary. A key aspect of the compliance with the GDPR is how the controller informs the data subjects (e.g. employees or customers) about the CCTV surveillance. Luckily, the European Data Protection Board which is the data protection authority of the EU has recently published a guideline on this issue. Read our short summary so that you know what to include in your camera privacy notice.
A few days prior to the first anniversary of the entry into force of the GDPR the Hungarian Data Protection Authority imposed the biggest data protection fine in Hungary so far. The target was the biggest Hungarian festival organizer company thanks to whom the public may enjoy the SZIGET, the VOLT or the Balaton Sound Festival. The Data Protection Authority reviewed the check-in system of the festival and the data processing in relation with the check-in. In our short article we summarize the mistakes the Authority identified.
It is not an April’s fool joke that almost one year after the GDPR entering into force, finally the Hungarian Parliament adopted the GDPR implementation act on 1st April. The act harmonizes various areas of the Hungarian legal system with the GDPR as it will amend more than 80 legal sources. In this short article we collected the 5 most important provisions of the implementation act.
The Hungarian data protection authority, the NAIH has imposed the first data protection fine in December 2018 which was based on the infringement of the GDPR. It appears that in relation with the „first cuckoo” the NAIH applied the so called „early bird” discount known as a marketing strategy. Indeed, the fine was not particularly high considering that it should be imposed because of the infringement of data subject rights. Well, let’s see the details of the case.
The ink on the French data protection authority’s decision in the Google-case is not even dry and the German antitrust authority has already imposed sanctions against the other ’giant’ Facebook because of its unlawful data processing activities. I suppose you wonder what is the connection between the data protection and the economic competition? Well, read our short article and you will know the answer.
During the preparation of the GDPR, it was often pointed out in professional circles that Google and Facebook are the primary targets of the strictest data protection regime of the world. Well, a little more than half a year after the GDPR entered into force, the sword of the French data protection authority has hit Google. Let’s see why the authority awarded the tech-giant with a modest fine of 50 Million Euros?
Have you ever experienced that if you deal with a topic excessively you start to see it everywhere? For me, it was clearly the GDPR that filtered into my private life. This gave me the idea to collect the GDPR “fails” of the year that me or my colleagues experienced. Of course, “our GDPR infringers” have not played as big as Facebook and his “little” buddies, but maybe our stories will show you how easy it is to slip on a banana peel when it comes to GDPR compliance.
During our GDPR compliance projects I often hear from clients that they copy or scan the identity cards of their employees. It may not be my most thrilling article, but I find it important to clarify once and for all that is a bad practice as it is against the GDPR and the recommendations of the Hungarian Data Protection Authority. Below I shortly explain you why copying ID cards is problematic and what you should do instead.
It only spotted some weeks ago that the UK Information Commissioner’s Office (ICO) has issued its first GDPR formal notice. The target was AggregateIQ Data Services, a Canadian company who allegedly processed UK citizens data for political advertising. Read our article to know the details of the case and to find our why I find it particularly interesting.
You may have heard that British Airways suffered a serious data breach some weeks ago. As they reported the data of 380.000 passengers have been compromised during a 16 days period. The case was widely reflected in media and some press-organs talked about the possibility of a record GDPR fine and class-action against BA. Given that the breach is still under investigation, I do not wish to speculate on the fines but rather summarize how I see British Airways (BA) handled the data breach and what you can learn from it.
I hope that the Hungarian Basketball Association is better at the game than at data protection. Indeed, based on the fresh decision of the Hungarian Data Protection Authority they have serious problems with the latter and their data protection faults have been “awarded” with a fine. Let’s see the mistakes of the Association your company should avoid.
Are you under the scope of GDPR if you collect personal data only in paper format? Are you data controller if it is not you who determine for your business partner what kind of personal data should be collected, and you do not even have access to data? You can get the answers from our article which summarizes the EU Court’s judgement in the case of the Jehovah’s Witnesses Community.
In the recent past the Hungarian Data Protection Authority imposed a fine of 2 Million Hungarian Forints against Telekom, a major Hungarian telecommunication company, because of his unlawful direct marketing activity. Although the decision has been made before the entering into force of the GDPR, it is worth to examine the mistakes of Telekom. Indeed, the fine would have been much higher if it was imposed after the GDPR.
Some GDPR myths make you see a problem where you should not, or what is even worse, they prevent you from detecting a problem when you should. To have a successful GDPR compliance project, you should avoid both above faults. To help you, we debunk the 5 GDPR myths that we faced the most often during our compliance projects.
If data leakage, data theft or other breach happens at your company and it is likely to result in a risk to the data subjects’ rights, you have to report it to the supervisory authority. If this risk is likely to be high you shall as well inform the affected persons. In this article we mention 5 things that you need to consider when you decide about whether you should notify the authority or the data subjects.
You may think that a data breach incident can only be a consequence of a cybercriminal attack like malware or ransomware. However, among particular circumstances a simple human error, like losing a company laptop can be considered as a data breach. In this short article we explain you what exactly a data breach is and how to handle such an unwanted situation to be GDPR proof.
Last week during a GDPR related meeting with one of our clients, he told us: honestly, I have the feeling that this GDPR project is all about paperwork. Although it is not entirely true, we totally agree with our client that a huge part of the compliance project is drafting and adopting several documents. In this article we summarized the 5 basic types of documents that you must have in order to achieve GDPR-compliance.
Do you operate a small e-shop and think that GDPR and data protection concerns only giants like Amazon? Let’s just face it: you could not be more wrong. Think of the mere fact that your customers are private persons and you process at least their name, e-mail address and address. Before totally panicking from the realisation that GDPR applies to your e-shop, too, take a deep breath and read our 5 tips how your e-shop can be GDPR-compliant.
The European Court of Human Rights (ECHR) established in his fresh decision that the camera surveillance of lecture halls violated the professors’ right to privacy. Let’s see the details of the case and the findings of the Court.