LITIGATION SUPPORT TIP OF THE NIGHT

The fines provided for in the European Union's General Data Protection Regulation (GDPR) are being imposed on companies. This week the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) imposed a €475,000 fine on Booking.com. See this press release on the DPA's site.

The popular online hotel reservation service was fined for waiting until February 7, 2019 to report a data breach it discovered on January 13, 2019. Article 33 of the GDPR requires a supervisory authority to be notified of a data breach within 72 hours of its discovery. The breach involved credit card information for 300 individuals, and other personal data for 4,000 individuals.

The Dutch DPA has an online form businesses can use to report data breaches. The form includes a timeline section which requires that the date the breach was discovered be stated, and specifically directs that an explanation be given for breaches reported more than 72 hours after notice is first obtained of the breach.

The form also requires the reporting of the following information:

• A contact person to provide ongoing information about the breach to the DPA.

• The types of information compromised including Citizen Service Numbers; biometric data, genetic data, access data, and health information.

• Which part of the data was encrypted.

• Whether unauthorized persons gained access to the data.

• Whether inaccurate data was disclosed.

• Whether essential services cannot be provided to data subjects.

Article 35 of the General Data Protection Regulation requires that an impact assessment be prepared for data processing which poses a high risk to personal data These Data Processing Impact Assessments are particularly recommended in the following situations:

1. Personal profiling which affects the legal rights of individuals.

2. Processing of data regarding criminal records.

3. Processing of data on the race, ethnicity, political beliefs, religious beliefs, health, sexual orientation, or trade union membership of individuals.

4. Large scale monitoring of a public area.

The list of processing operations covered by the assessment must be made available to the public.

The assessment has to include the following:

1. A systematic description of processing operations.

2. An assessment of the necessity and proportionality of the processing operations in relation to their purposes.

3. The measures taken to safeguard the personal data.

The views of the data subjects must be solicited for the DPIA.

The DPIA must be updated when the risk to the personal data changes.

The Information Commissioner's Office of the United Kingdom has posted a sample template for a Data Processing Impact Assessment. Among other things, the template requires that a plan be prepared about how to consult relevant stakeholders; and descriptions be given of each type of risk the processing poses, indicating the likelihood of harm, severity of harm, and overall degree of risk. An organization's Data Protection Officer has to sign off on the assessment.

Max Schrems, the plaintiff in the case in which the EU Court of Justice ruled that the European Union/United States Privacy shield was inadequate under the GDPR for data transfers, has started an organization, NYOB (None Of Your Business) which files GDPR related complaints. NOYB has created a site, GDPRHub to organize information related to the GDPR.

The site posts decisions (and summaries of those decisions) by European data protection authorities and the courts of various countries in the EU.

The site also provides outlines for the data protection laws in each European Union member country.

GDPRHub is still a work progress, but it's a good way to get a quick handle on GDPR related caselaw.

NOYB filed a complaint with France's Commission nationale de l'informatique et des libertés (CNIL) which led the commission to issue a 50 million euro fine on Google for failing to gain users' consent to process data.