Data Protection Authority

On August 5, 2020, the French Data Protection Authority announced that it has levied a fine of €250,000 on a French online shoe retailer for various infringements of the GDPR. This is the first penalty under the GDPR enforced by the CNIL as the lead supervisory authority in cooperation with other EU supervisory authorities.
Continue Reading CNIL Adopts Its First Sanction as Lead Supervisory Authority, Fining French Online Shoe Retailer

On July 16, 2020, the Court of Justice of the European Union issued its landmark judgment in the Schrems II case, concluding that the Standard Contractual Clauses issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. Unexpectedly, the Court invalidated the EU-U.S. Privacy Shield framework.
Continue Reading BREAKING: Unexpected Outcome of Schrems II Case: CJEU Invalidates EU-U.S. Privacy Shield Framework but Standard Contractual Clauses Remain Valid

On July 6, 2020, the Dutch Data Protection Authority imposed a 830,000 euro fine on the Dutch Credit Registration Bureau for non-compliance with Articles 12 (2) and 12 (5) of the EU General Data Protection Regulation between May 2018 and March 2019.
Continue Reading Dutch DPA Fines Dutch Credit Registration Bureau 830,000 Euros for Non-Compliance with Data Subject Rights

On July 14, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a €600,000 fine on Google Belgium SA (“Google”) for non-compliance with the right to be forgotten.

Continue Reading Belgian DPA Issues its Largest Fine to Date for Non-Compliance with the Right to Be Forgotten

In a case that has garnered widespread interest, the Court of Justice of the European Union will deliver its judgement in the Schrems II case (case C-311/18) on July 16, 2020, determining the validity of the controller-to-processor Standard Contractual Clauses as a cross-border data transfer mechanism under the GDPR.
Continue Reading CJEU’s Judgment on Validity of EU Standard Contractual Clauses Due July 16, 2020

On July 13, 2020, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) announced that it levied a €16,729,600 fine on telecoms provider Wind Tre S.p.A. (“Wind Tre”) for several unlawful data processing activities, mostly related to direct marketing.

Continue Reading Italian Garante Fines Telecoms Provider 17 Million Euros for Direct Marketing Infringements

On June 16, 2020, the Litigation Chamber of the Belgian Data Protection Authority imposed a fine on a company for unlawful and incorrect processing of personal data and non-compliance with the EU General Data Protection Regulation’s data subject rights provisions.
Continue Reading Belgian DPA Fines Company for Unlawful Processing and Non-Compliance with Data Subject Rights