Case Law Updates and Fines
- On October 10, 2023, the Italian data protection authority
(Garante) announced in its newsletter its Decision No. 405, as
issued on September 14, 2023, in which it imposed a fine of
€90,000 on GFB One s.r.l., for violations of the GDPR and the
Personal Data Protection Code, Containing Provisions to Adapt the
National Legislation to the GDPR, following a complaint by an
individual. You can read the newsletter here and the decision here, both only available
in Italian. - On October 10, 2023, the Italian data protection authority
(Garante) announced in its newsletter its Decision No. 403 in which
it fined Shardana Working Soc. Coop. a r.l. €20,000, for
violations of the GDPR, following a complaint by three individuals
employed by the company. You can read the newsletter here and the decision here, both only available
in Italian. - On October 10, 2023, the UK’s Information
Commissioner’s Office (ICO) announced that the Court of Appeal,
in a judgment published on the same day, upheld the ICO’s
handling of a data subject access request complaint. You can read
the press release here, the Court of
Appeal’s judgment here, and the High
Court’s judgment here.
Legislation
- On October 12, 2023, the UK Data Protection (Adequacy) (United
States of America) Regulations 2023 for the UK Extension to the
EU-US Data Privacy Framework (UK-US Data Bridge) entered into
effect. The UK-US Data Bridge designates the US as ensuring an
adequate level of protection for personal data transferred to the
US on the basis of the protections offered under the extension to
the EU-US Data Privacy Framework which the United States Department
of Commerce administers in relation to transfers of personal data
from the United Kingdom. You can read the UK-US Data Bridge here, the explanatory note
here, the factsheet here, the EU-US DPF
Principles here, and the DPF List
here.
Guidance and draft Guidance
- On September 19, 2023, the Hamburg Commissioner for Data
Protection and Freedom of Information (HmbBfDI) published
information regarding data breach notifications. The HmbBfDI
emphasised that high-risk personal data breaches involving data
loss or data falling into the hands of an unauthorized person
should be reported, and that a distinction must be made according
to the degree of risk to the affected individuals when deciding how
to respond to and notify data breaches. You can read the press
release here and access the form
here, both only available
in German.
Data Protection Authority Updates
- On October 10, 2023, Switzerland’s Federal Data Protection
and Information Commissioner (FDPIC) opted not to initiate formal
proceedings against Oracle America Inc. after investigating the
company in relation to a class action raised in the US. You can
read the press release, available in multiple languages, here. - On October 10, 2023, Guernsey’s Office of the Data
Protection Authority (ODPA) released its latest breach statistics
for the period between July 2023 and September 2023. The ODPA noted
that 38 personal data breaches had been reported affecting 77,321
people, with a significant increase in numbers attributed to
breaches involving emails containing large volumes of personal data
being sent to incorrect recipients. You can read the press release
here. - On October 10, 2023, the Spanish data protection authority
(AEPD) updated its breach advisory and notification tools. These
tools aid data controllers in deciding whether to notify
supervisory authorities and affected data subjects after a breach.
You can read the press release here, access the breach
advisory tool here, and the breach
notification tool here, all only available in
Spanish. - On October 10, 2023, the Italian data protection authority
(Garante) announced the publication of a manual for the
implementation of nationwide health services through artificial
intelligence (AI) systems. The manual emphasizes that health data
processing with AI for public health interest requires a specific
regulatory framework to safeguard individual rights and interests
under the GDPR. You can read the newsletter here and download the
manual here, both only available in
Italian. - On October 11, 2023, the French data protection authority
(CNIL) published its first practical sheets on the creation of
training databases for artificial intelligence (AI) systems and has
opened a consultation requesting public comments on the published
practical sheets. The consultation focuses on the GDPR’s
application to AI and AI’s compatibility with privacy
protection. Public comments may be submitted to [email protected] using the applicable form here, until November 16,
2023. You can read the press release here, the consultation
here, and access the
practical sheets here, all only available in
French.
Other Privacy News
- On October 9, 2023, the European Commission published its
finalized compliance report template for gatekeepers under the
Digital Markets Act (DMA) following a public consultation. The
Commission emphasised that a compliance report must be both
detailed and transparent, containing all relevant information the
Commission requires to assess effective compliance of designated
gatekeepers with the DMA. You can read the press release here.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
