Tag: Data Protection Authorities

GPEN publishes annual Sweep

14. March 2019

On May 9th, 2019, the „GPEN“(„Global Privacy Enforcement Network“) shared its “2018 Sweep”, an annual intelligence gathering that looked at how well organisations have implemented data privacy accountability into their internal privacy policies and programmes.

GPEN is a global network of more than 60 data protection agencies. The 2018 Sweep was a collaboration between  New Zealand’s (New Zealand Office of the Privacy Commissioner, “OPC”) and  UK’s (UK Information Commissioner’s Office, “ICO”) data protection authorities and was carried out by several data protection authorities across the globe.

The participating authorities reached out to 667 companies with a set of pre-determined questions that focus on key elements of responsible data protection. Those elements were:

  • The importance of internal policies and procedures for data governance;
  • Training and awareness;
  • Transparency about data practices;
  • The assessment and mitigation of risk;
  • Incident Management.

Of the 667 organisations contacted, only 53% (356) provided substantive responses and a large point of those had appointed an individual or a team to ensure compliance with relevant data protection regulations.

The 2018 Sweep shows that many organisations are quite good at providing data protection training to their employees but companies have to ensure that those training are offered to all employees and happen on a regular basis. It was also found that several organisations have processes in place on how to deal with data subject complaints and how to handle data breaches.

Overall, most organisations are aware of data protection and have a good understanding of it. Nevertheless, they have to make sure that they have clear policies and procedures in place and monitor their performance regarding the relevant laws and regulations.

Category: General · Personal Data
Tags: ,

Which European DPA is in charge of supervising Amazon?

28. July 2016

In the case Verein für Konsumenteninformation v. Amazon, the Court of Justice of the European Union has to decide which Member State’s data protection law should apply in case goods are sold across national borders but within the EU. In the respective case goods are sold from a German or Luxembourgish website to an Austrian consumer.

This can be seen as one of the more significant data protection cases of 2016. The judgement will be significant due to the fact that the EU is in the process of implementing the new General Data Protection Regulation. As a consequence an European Data Protection Board (EDPB) will be established, which will represent Data Protection Authorities of different Member States. The EDPB will also be responsible for conflicts of jurisdiction. However, this process has been described as a “ (…) hyper bureaucratic procedure that will lead to more complexity and longer procedures.”

In case the Court of Justice of the European Union clarifies the jurisdiction of Data Protection Authorities, there may be less need to utilise these hyper-bureaucratic procedures. This could make the EU’s single market more efficient.

The Court of Justice of the European Union will probably rule on this matter today.

Category: European Court of Justice · General Data Protection Regulation · International Data Transfers
Tags: , ,