Blog » THERE COMES THE FIRST GDPR-FINE?
THERE COMES THE FIRST GDPR-FINE?
08 October 2018
It only spotted some weeks ago that the UK Information Commissioner’s Office (ICO) has issued its first GDPR formal notice. The target was AggregateIQ Data Services, a Canadian company who allegedly processed UK citizens data for political advertising. Read our article to know the details of the case and to find our why I find it particularly interesting.
The Canadian company AggregateIQ (AIQ) as a data controller processed personal data of UK citizens on behalf of UK political organizations like Vote Leave and BeLeave during the Brexit campaign.
AIQ received personal data, such as names and e-mail addresses of UK individuals and his task was to target those people with political advertising messages on social media platforms. Although the messaging happened before the entry into force of the GDPR, AIQ admitted in the investigation of the ICO that he still stores the data of UK citizens.
Supposedly, AIQ has been linked to the firm Cambridge Analytica, but on his webpage AIQ explicitly denies this.
The ICO has carried out a thorough examination and came to the conclusion that AIQ has violated a number of provisions of the GDPR.
Indeed, AIQ has processed personal data in a way that data subjects were not aware of, for purposes which they would ever have expected and without a lawful basis. Thus, AIQ violated the principles of lawfulness, fairness and transparency, as well as purpose limitation.
In the ICO’s view, AIQ likely caused damage or distress to the data subjects as they did not have the opportunity to properly understand how their personal data is processed and to effectively exercise their data protection related rights.
In his enforcement notice in July, the ICO gave 30 days to AIQ to cease processing any personal data of UK citizens for political campaigning and advertising purposes.
Should AIQ fail to comply with this obligation, he faces a GDPR fine which can be 20 million Euros or 4% of AIQ’s annual worldwide turnover. AIQ had also the possibility to bring an appeal against the ICO’s notice within 28 day as of its receipt.
According to the latest news, AIQ has challenged ICO’s decision so it is not final yet.
Territorial and temporal scope
Besides the fact that the issue is interesting in itself as it raises not only legal but also ethical questions, I find two aspects of the case particularly interesting, namely the territorial and temporal scope of the GDPR.
As mentioned earlier, AIQ is a Canadian company having its registered seat outside the European Union. Thus, ICO’s action and its aftermath can be the first real test of the GDPR’s extended territorial scope meaning it shall apply to the processing of EU data subjects’ personal data even if it was carried out outside the European Union by a non-EU company. I am looking forward how the decision can be enforced if it will be maintained.
The second thing which is worth to note is that the ICO’s decision concerned processing activities carried out before the GDPR entered into force. The reasoning behind this was that that AIQ continued to store and process the data also in the GDPR-era.
You may think why you should care about all this staff being a company engaged in commercial activities who will probably never use personal data for political campaign.
I get that but let’s not forget about the subsidiary messages of the case which can concern your company.
Firstly, GDPR might apply to earlier processing activities if you do not amend them to be GDPR-complaint. Secondly, even if you are a non-EU based company, the GDPR may catch you if you process EU individual personal data.
DEBT COLLECTION IN HUNGARY -3 REASONS TO HIRE A LAW FIRM INSTEAD OF COLLECTION AGENCIES
One of the annoying things in business is when your invoices are not paid by your business partners. After getting bored of their excuses, there comes a time when you have to put pressure on your debtor. At that point, you either entrust a law firm or turn to one of the many debt collection agencies offering “simple and cheap, yet efficient” solutions. Are the latter solutions really that effective? Is it worth entrusting a debt collection agency in Hungary? In our article, we bring up three reasons why hire rather a law firm in Hungary instead collection agencies.Read more »
HOW TO INFORM DATA SUBJECTS ABOUT CCTV SURVEILLANCE IN A GDPR-COMPLIANT WAY?
Operating video surveillance in a GDPR-compliant way can be a real challenge for data controllers in Hungary. A key aspect of the compliance with the GDPR is how the controller informs the data subjects (e.g. employees or customers) about the CCTV surveillance. Luckily, the European Data Protection Board which is the data protection authority of the EU has recently published a guideline on this issue. Read our short summary so that you know what to include in your camera privacy notice.Read more »
CAN YOUR DEBTOR ESCAPE LIQUIDATION BY SETTING OFF CLAIMS IN HUNGARY?
The initiation of a liquidation procedure is an effective debt collection method, since the debtor may only avoid being liquidated by paying the claim if the conditions specified in the Act on Bankruptcy Proceedings and Liquidation (Bankruptcy Act) are met. For this reason, in the case of liquidation, one of the most common defences of the debtor is the reference to offsetting. But can the debtor refer to offsetting without limitation during liquidation? In our short article we answer this question.Read more »