Tag: GDPR implementation
16. March 2020
The European Data Protection Board (EDPB) released a review dated from February 18th, in a contribution to the evaluation of the General Data Protection Regulation (GDPR), which has reached its 20th month of being in effect.
Overall, the EDPB stated that it has a positive view of the implementation of the legislation in the different European Countries over the past 20 months. Furthermore, it deems a revision of the legislative text as likely, but not yet necessary in the near future.
The EDPB praised the Data Protection Authorities and their work up til now, saying it hopes that the cooperation between them will create a common data protection culture and consistent monitoring practices. But the report also mentioned that Supervisory Authorities in the countries face restrictions due to different national procedures and practices, which can hinder the cooperation. Furthermore, the EDPB sees a need to increase the funding for Supervisory Authorities to improve and support their duties.
On another note, the EDPB has acknowledged the challenges of implementation for Small to Medium sized Enterprises (SMEs). It says it is aware of these challenges, and works together with Supervisory Authorities to facilitate the supporting tools they have put out in order to support SMEs.
Lastly, it raised concerns about the timeframe of the new ePrivacy Regulation, and urged lawmakers to bundle their focus and efforts to carry on with its development.
3. September 2019
Portugal’s new data protection law “Lei de Execução do Regulamento Geral sobre a Proteção de Dados” was finally published and entered into force last month, following its approval in June. This makes Portugal one of the last EU states to implement the GDPR regulations in national law. The new law regulates among other things the following points:
Consent:
Persons aged 13 and over can give effective consent. In an employment relationship, an employee’s consent is considered a legitimate legal basis only if it leads to a legal or economic advantage for the employee or if it is necessary to fulfil a contract.
Data Protection Officer:
In addition to the tasks defined in the GDPR, the Data Protection Officer in Portugal must ensure that audits are carried out, that Controllers are aware of the importance of early detection of data protection incidents and the relations with the Data Subjects regarding data protection.
Video surveillance:
The law stipulates that in some areas, such as bathrooms or changing rooms, video surveillance is prohibited. ATMs may also only be filmed in such a way that the customer’s keyboard and the associated PIN entry cannot be seen.
Retention periods:
If no retention period is specified, the duration necessary to achieve the purpose shall be decisive. However, the right to be forgotten can only be exercised at the end of the retention period. In contrast to the GDPR the Portuguese data protection law permits a storage of certain dates for always. This applies only to data about the social security amounts for the retirement if suitable technical and organizational measures are taken.
9. April 2019
The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), announced an update on its policy regarding administrative fines.
In addition to the Dutch GDPR implementation law the published policy provides insides on how the Dutch DPA will use its fining powers. According to the policy the DPA differentiats three or four categories of infringements. Each infringement is fined with a basic fine and a specific penalty bandwidth.
The DPA calculates the fine in two steps. First the basic fine is applied, second the basic fine is increased or decreased according to the classification to the different categories. Various aspects are included in the calculation of the fine, such as:
- the nature, the seriousness and duration of the violation,
- the number of data subjects affected,
- the extent of the damage and of the data compromised,
- the intentional or negligent nature of the violation,
- the measures adopted to mitigate the damages,
- the measures that were implemented to ensure compliance with the GDPR, including information security measures,
- prior violations,
- the level of cooperation with the DPA,
- the types of data involved,
- how the DPA became aware of the violation, including whether (and if so, to what extent) the data controller or processor reported the violation,
- adherence to approved codes of conduct an certification mechanisms,
- any other applicable aggravating or mitigating factors.
The maximum amount in general is €1.000.000,00, but the fine can be higher in case the Dutch DPA decides that the calculated maximum amount is inappropriate in the particular case.
