Data Protection Enforcement Updates

In addition to the ICO’s recent enforcement action taken against Doorstep Dispensary, European data protection regulators have been active with some interesting cases that are worth highlighting:  

  • In Greece, the Hellenic Data Protection Authority (HDPA) fined an organisation €15,000 for installing and using video surveillance in the workplace without consideration of the relevant lawful basis for doing so and for not sufficiently informing its employees of the cameras and their purpose.  
  • In Belgium, the Data Protection Authority (APD) imposed a fine of €15,000 on a website operator who had published a privacy policy, but it was only available in English when the audience for the website were primarily Dutch or French speaking. APD also found that the privacy policy was not easily accessible and nor did it include the lawful bases for processing personal data, as required by Article 13 of GDPR.  

This highlights the importance of transparency as a rounded concept that needs to take into account your audience and the nature of the privacy information you provide. The website operator was also using Google Analytics without the necessary standard of consent in place from its users, something that has recently been ruled as unlawful by the Court of Justice of the European Union (CJEU).

  • The Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) imposed a fine of €5,000 on an organisation using fingerprints (biometric data) of its employees for access control to certain locations. ANSPDCP found that there were adequate methods of implementing access control that did not involve the use of biometric data (special category data) and therefore presented lower privacy risks to the individuals. As such, they had not met the requirements of the data minimisation principle of GDPR 

While the financial figures here are not vast, these cases again highlight the wide array of issues that European regulators are looking at. These mirror the Doorstep Dispensary case, where the penalty resulted from an in depth investigation of the company’s data protection compliance and culture as a whole. 

You can learn all about the first ever UK GDPR fine and lessons to be learnt here…

If you have any questions about your own data protection needs please feel free to contact us.