The first anniversary of the General Data Protection Regulation or GDPR: 5 significant developments for an entrepreneur

A bit more than a year ago, on 25.05.2018, new rules for data protection, i.e. the General Data Protection Regulation of the European Union (GDPR) was applied. Below are described five main events which occurred within the past year regarding the application of the EU Regulation.

The first fines imposed based on the General Data Protection Regulation

Centro Hospitalar Barreiro Montijo in Portugal gained a lot of attention after being fined 400,000 euros for violating GDPR. According to the assessment of Portuguese supervisory authority, the personal data of patients were left unprotected – hospital information systems essentially allowed every hospital employee to access all patient data. Such unlimited access to health data, which are considered particularly sensitive personal data in the meaning of data protection law, does not comply with the data protection requirements. Attention was also paid to fines imposed by ICO in the United Kingdom on Heathrow Airport and Uber for the breach of security requirements. Another interesting case resulting in imposing a fine took place in Austria, where a company was fined for having a surveillance camera capturing too much of the sidewalk, which was not directly necessary for ensuring the security of the company. The most coverage was given to probably the biggest fine imposed for violating data protection rules so far, totalling 50 million euros. The fine was imposed on Google by France’s supervisory authority. The Internet giant was fined for non-transparent activities. Inter alia, French supervisory authority found that Google failed to provide users with sufficient explanation regarding the actual use of their personal data.

The first large fine imposed for violating data protection requirements in the Baltic States

Lithuanian supervisory authority imposed a fine in the sum of 61,500 euros to a financial technology company MisterTango. The company was criticised for leaking the information regarding company’s customers to the Internet in July 2018, thus making more than 9,000 screenshots containing transaction data of its customers’ publicly available. MisterTango failed to report that incident to the Lithuanian Data Protection Inspectorate. This, however, is considered a violation of rules pursuant to GDPR, because GDPR requires that data leaks should be reported within 72 hours after their detection.

Estonian national legislation

As a rule, the application of the EU regulation means that the Member State does not have to adopt additional regulations on their own, because the regulation applies directly to all Member States. However, the General Data Protection Regulation contained several clauses, according to which every Member State had to adopt its own provisions. Ideally, such provisions should have been applied and entered into force at the same time as the General Data Protection Regulation, i.e. on 25.05.2018. However, it took more time in Estonia and in many other Member States. By now, however, Estonia has adopted its provisions and they have been entered into force. The Estonian Personal Data Protection Act entered into force on 29.01.2019 and the Personal Data Protection Act Implementation Act entered into force on 15.03.2019.

Fines and Estonia

The Data Protection Inspectorate has not rushed to impose regulation-related fines in Estonia. The homepage of the Inspectorate does not indicate whether there have been any fines imposed based on Estonian national provisions in force and GDPR. The practises and activities of the Data Protection Inspectorate can be followed HERE.

New recommendations

Just like every other law branch, the data protection law does not stand still. Within a year, the European Data Protection Board (formerly Article 29 Working Party) has come up with further recommendations and guidelines that help to understand the text of GDPR. Recently, in order to get feedback from the public, specific guidelines were published on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, i.e. when processing of personal data is required for performing or concluding a contract. It is important to pay attention to the recommendations made by the European Data Protection Board, because the Member States are not allowed to arbitrarily interpret the General Data Protection Regulation. Explanations on how to follow the rules established in the Regulation are primarily provided by the European Data Protection Board and the Court of Justice of the European Union. If you have any questions regarding data protection, do not hesitate to contact us.