Court of Justice of the European Union Invalidates the EU-U.S. Privacy Shield, Finds Standard Contractual Clauses Valid

The Court of Justice of the European Union (CJEU) in a surprise decision invalidated the U.S. Privacy Shield in a case called, Schrems II – a decision important to all companies doing business in the EU and collecting personal data about its residents. It found that the Standard Contractual Clauses (SCC) issued by the European Commission to support the lawful transfer of personal data to processors established outside of the EU are valid. At the same time, the Court unexpectedly invalidated the EU-U.S. Privacy Shield framework. This decision will require companies to re-examine their approach to transferring data between the U.S and the EU. Background In 2015 Max…


Data Protection Conference in Tirana Forecasts an International Focus in 2020 on Converging Privacy Laws and Accountability

Last fall, the International Data Protection and Privacy Commissioners’ Conference convened in Tirana, Albania. Achieved Compliance once again participated in this annual meeting, which brings together regulators, experts, advocates and practitioners from around the globe. By attending this meeting, Achieved Compliance benefits from the opportunity to understand what concerns data protection authorities and on what issues they will focus their attention over the coming year. The theme of this year’s meeting was Convergence and Connectivity:  Raising Global Data Protection Standards in the Digital Age. The conference posed the questions – How are laws converging, and what factors are driving convergence? What are the challenges in building more convergence…


Poland Imposes Fines for Web-Scraping of Personal Data When Notification to Individuals Did Not Occur

Poland’s data protection agency issued its first fine under the EU’s General Data Protection Regulation (GDPR), imposing a 220,000 euro fine to Bisnode, a European digital marketing company headquartered in Sweden. The Poland Personal Data Protection Office (UODO) determined that the company had failed to inform individuals that it was processing their data after scraping that data from websites. Notification is required under Article 14. In addition to the fine, UODO required Bisnode to contact the nearly six million people it had not already contacted as required by the GDPR and gave the company three months to comply with the order. Article 14 obligates data controllers to inform…


Framework for GDPR Fines Published by the Dutch Authorities

The Dutch Data Protection Authority (AP) has announced a new policy for determining the fines to be imposed for violations of the General Data Protection Regulation (GDPR) and its national implementing act. The AP’s assessment will first take into account the maximum amounts specified by the European Regulation: either 10 million euros or 2% of the annual worldwide turnover, or 20 million euros or 4% of the annual worldwide turnover, depending on the violation incurred. Violations that are subject to fines are divided into three or four categories designed by the data protection authority to take into account the weight of the breached requirements, with each assigned a…

  • 1
  • 2