Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.
Case Law Updates and Fines
- On 3 August, the Federal Administrative Court (BVwG), in its decision in Case No. W101 2258430-1/33E, partially upheld the decision of the Austrian data protection authority (DSB) regarding the right of access, right of privacy, and the right to request the appointment of a data protection officer (DPO) of the complainant under the General Data Protection Regulation (GDPR). You can read the judgment, only available in German, here.
- On 20 September, the UK Information Commissioner’s Office (ICO) announced that it had issued an enforcement notice and monetary penalty notice to House Hold Appliances 247 Limited in which it fined the company £55,000 for violation of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), following complaints by individuals. You can read the press release here, the enforcement notice here, and the monetary penalty here.
- On 22 September, the Estonian Data Protection Inspectorate (DPI) announced that it had found three unnamed companies providing short-term vehicle rental services in violation of the General Data Protection Regulation (GDPR), following an inspection launched ex officioin July 2022. You can read the press release, only available in Estonian, here.
- On 25 September, the Danish data protection authority (Datatilsynet) published its decision in Case No. 2023-832-0081, as issued on the same date, in which it expressed criticism against Dagrofa ApS, for violations of Act No. 502 of 23 May 2018 on Supplementary Provisions to the Regulation on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (the Act), following a complaint made by an individual. You can read the press release here and the decision here, both only available in Danish.
- On 25 September, the Danish data protection authority (Datatilsynet) announced that it had carried out 16 planned inspections of municipalities’ and banks’ handling of data breaches. You can read the press release and the decisions here, all only available in Danish.
- On 26 September, the Croatian Personal Data Protection Agency (AZOP) announced that it had imposed a fine of €15,000 on a hotel for violations of the General Data Protection Regulation (GDPR), following a complaint from an individual. You can read the press release, only available in Croatian, here.
- On 26 September, the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) announced its decision in which it imposed fines of RON 124,150 (approx. $26,441) and RON 40,000 (approx. $8,519) to Restart Energy One SA, for violations of the General Data Protection Regulation (GDPR) and Law No. 506/2004 on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Electronic Communications Law), respectively, following a data breach notification. You can read the press release, only available in Romanian, here.
- On 26 September, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS/00064/2023, in which it imposed a fine of €70,000 on Digi Spain Telecom S.L.U., for violation of the General Data Protection Regulation (GDPR) after receiving a complaint. You can read the decision, only available in Spanish, here.
- On 28 September, the French data protection authority (CNIL) published Deliberation SAN-2023-013 of September 18, 2023, in which it imposed a fine of €200,000 on SAF Logistics for violation of the General Data Protection Regulation (GDPR), following a complaint. You can read the press release here and the decision, only available in French, here.
- On 28 September, the Court of Justice of the European Union (CJEU) published a press release containing a summary of the Advocate General (AG) Maciej Szpunar’s opinion in Case C-470/21 La Quadrature du Net and Others. You can read the press release here.
Legislation
- On 21 September, the UK Information Commissioner’s Office (ICO) issued its opinion on the Data Protection (Adequacy) (United States of America) Regulations 2023 for the UK Extension to the EU-US Data Privacy Framework (the UK Extension) issued by the Department of Science, Innovation and Technology (DSIT). You can read the press release here.
- On 24 September, the Data Governance Act (DGA) became applicable in full, following its entry into force on June 23, 2022. You can read the DGA here and a summary here.
Guidance & Draft Guidance
- On 19 September, the French data protection authority (CNIL) publishedbest practices for organizations considering developing a code of conduct or wishing to improve an existing one. You can read the recommendations, only available in French, here.
- On 22 September, the Lower Saxony data protection authority (LfD Niedersachsen) announced that it, together with six other data protection supervisory authorities, had developed a guide on how to deal with Microsoft’s standard order processing agreement, known as Products and Services Data Protection Addendum (the Addendum), for the use of Microsoft 365. You can read the press release here and download the guide here, both only available in German.
- On 23 September, the Croatian Personal Data Protection Agency (AZOP) published a list of guides and educational material on the General Data Protection Regulation (GDPR). You can read the press release, only available in Croatian, here.
Data Protection Authority Updates
- On 6 September, the Irish Data Protection Commission (DPC) published a compilation of 126 case studies covering the first five years of the General Data Protection Regulation (GDPR), from 2018 to 2023. You can read the booklet here.
- On 8 September, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) announced, on September 8, 2023, that the International Working Group on Data Protection in Technology (the Berlin Group) had released a working paper on smart cities, which includes recommendations to service providers and regulators. You can read the press release, only available in German, here and the working paper here.
- On 13 September,the Norwegian data protection authority (Datatilsynet) released a statement regarding camera surveillance in the workplace, with a special focus on young employees. You can read the press release, only available in Norwegian, here.