Case Law Updates and Fines
- On October 10, 2023, the Italian data protection authority (Garante) announced in its newsletter its Decision No. 405, as issued on September 14, 2023, in which it imposed a fine of €90,000 on GFB One s.r.l., for violations of the GDPR and the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to the GDPR, following a complaint by an individual. You can read the newsletter here and the decision here, both only available in Italian.
- On October 10, 2023, the Italian data protection authority (Garante) announced in its newsletter its Decision No. 403 in which it fined Shardana Working Soc. Coop. a r.l. €20,000, for violations of the GDPR, following a complaint by three individuals employed by the company. You can read the newsletter here and the decision here, both only available in Italian.
- On October 10, 2023, the UK’s Information Commissioner’s Office (ICO) announced that the Court of Appeal, in a judgment published on the same day, upheld the ICO’s handling of a data subject access request complaint. You can read the press release here, the Court of Appeal’s judgment here, and the High Court’s judgment here.
Legislation
- On October 12, 2023, the UK Data Protection (Adequacy) (United States of America) Regulations 2023 for the UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge) entered into effect. The UK-US Data Bridge designates the US as ensuring an adequate level of protection for personal data transferred to the US on the basis of the protections offered under the extension to the EU-US Data Privacy Framework which the United States Department of Commerce administers in relation to transfers of personal data from the United Kingdom. You can read the UK-US Data Bridge here, the explanatory note here, the factsheet here, the EU-US DPF Principles here, and the DPF List here.
Guidance and draft Guidance
- On September 19, 2023, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) published information regarding data breach notifications. The HmbBfDI emphasised that high-risk personal data breaches involving data loss or data falling into the hands of an unauthorized person should be reported, and that a distinction must be made according to the degree of risk to the affected individuals when deciding how to respond to and notify data breaches. You can read the press release here and access the form here, both only available in German.
Data Protection Authority Updates
- On October 10, 2023, Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) opted not to initiate formal proceedings against Oracle America Inc. after investigating the company in relation to a class action raised in the US. You can read the press release, available in multiple languages, here.
- On October 10, 2023, Guernsey’s Office of the Data Protection Authority (ODPA) released its latest breach statistics for the period between July 2023 and September 2023. The ODPA noted that 38 personal data breaches had been reported affecting 77,321 people, with a significant increase in numbers attributed to breaches involving emails containing large volumes of personal data being sent to incorrect recipients. You can read the press release here.
- On October 10, 2023, the Spanish data protection authority (AEPD) updated its breach advisory and notification tools. These tools aid data controllers in deciding whether to notify supervisory authorities and affected data subjects after a breach. You can read the press release here, access the breach advisory tool here, and the breach notification tool here, all only available in Spanish.
- On October 10, 2023, the Italian data protection authority (Garante) announced the publication of a manual for the implementation of nationwide health services through artificial intelligence (AI) systems. The manual emphasizes that health data processing with AI for public health interest requires a specific regulatory framework to safeguard individual rights and interests under the GDPR. You can read the newsletter here and download the manual here, both only available in Italian.
- On October 11, 2023, the French data protection authority (CNIL) published its first practical sheets on the creation of training databases for artificial intelligence (AI) systems and has opened a consultation requesting public comments on the published practical sheets. The consultation focuses on the GDPR’s application to AI and AI’s compatibility with privacy protection. Public comments may be submitted to ia@cnil.fr using the applicable form here, until November 16, 2023. You can read the press release here, the consultation here, and access the practical sheets here, all only available in French.
Other Privacy News
- On October 9, 2023, the European Commission published its finalized compliance report template for gatekeepers under the Digital Markets Act (DMA) following a public consultation. The Commission emphasised that a compliance report must be both detailed and transparent, containing all relevant information the Commission requires to assess effective compliance of designated gatekeepers with the DMA. You can read the press release here.