On May 19, 2021, the Italian Supervisory Authority (“Garante”) fined a physician €5,000 for publishing a patient’s medical records without obtaining that patient’s specific consent to do so. As background, the physician downloaded medical records about a patient she treated at a local hospital from the hospital’s online archive system, including images taken during surgery. The physician used these records for a presentation at a medical conference, and also included them as documentation supporting a scientific research paper she submitted for a competition hosted by a surgeons’ association. The physician’s paper was ultimately selected as the winner of that competition, resulting in the publication of her work on the association’s website.
Continue Reading Italian Supervisory Authority Fines Physician for Secondary Use of Patient Data Without Specific Consent
General Data Protection Regulation (GDPR)
German Court Overturns GDPR Fine, Raises Legal Questions About Fines Against Companies
On February 18, 2021, the District Court of Berlin overturned a €14.5 million fine that had been imposed on German real estate company Deutsche Wohnen SE. The Court held that the fine – which was issued by the Berlin Supervisory Authority (“SA”) and had been the second highest fine in Germany so far under the EU General Data Protection Regulation (“GDPR”) – failed to satisfy certain rules under German law, and therefore was invalid.
This case raises important questions on the interplay between the GDPR and German law regarding the attribution of regulatory offenses to a company. In this blog post, we consider this topic in greater depth and how it may eventually be resolved in court.Continue Reading German Court Overturns GDPR Fine, Raises Legal Questions About Fines Against Companies
French Supervisory Authority Publishes Results of Public Consultation on the Digital Rights of Minors
By Kristof Van Quathem & Nicholas Shepherd on
In January 2021, the French Supervisory Authority (“CNIL”) published a summary report of contributions it received in response to a public consultation and survey on the digital rights of minors launched in April 2020 (see the press release here and a summary report here, both in French). Stakeholders who responded to the consultation included companies, professionals dedicated to the legal and educational issues related to children, parents and minors.
Continue Reading French Supervisory Authority Publishes Results of Public Consultation on the Digital Rights of Minors
European Commission Publishes Report on EU Member States’ Rules in Relation to Health Data
By Kristof Van Quathem on
In February 2021, the European Commission (“Commission”) released a report on European Union (“EU”) Member States’ laws governing the processing of health data. The report discusses three general types of health data uses:
- primary use for health care services;
- secondary use for public health purposes; and
- secondary use for scientific research purposes.
For each of these general purposes, the report assesses real-world use cases. For example, for health care services, the report considers e-health applications, among others. For public health purposes, the report considers pharmacovigilance and product approvals. The section on scientific research purposes, meanwhile, considers issues such as research by public bodies, sharing of data with third-party researchers, and the use of genetic data.Continue Reading European Commission Publishes Report on EU Member States’ Rules in Relation to Health Data
A New Day for GDPR Damages Claims in Germany?
Until now, damages claims awarded by German courts pursuant to Article 82 of the General Data Protection Regulation (“GDPR”) – in particular, claims for non-material damages – have been relatively low. This restrained approach thus far has been predicated primarily on the position that German law requires a serious violation of personality rights to justify higher claims for non-material damages. Two recent cases decided by regional courts illustrate and confirm this prevailing stance. However, a more recent decision issued by the Federal Constitutional Court indicates that views in Germany may be evolving on this topic, and courts may soon be willing to entertain higher damages claims.
Continue Reading A New Day for GDPR Damages Claims in Germany?
German Supervisory Authorities Plan to Circulate Questionnaires on Personal Data Transfers in Wake of Schrems II Decision
By Lars Lensdorf, Moritz Hüsch & Kristof Van Quathem on
On February 3, 2021, the Conference of the Supervisory Authorities (“SAs”) of Germany (known as the Datenschutzkonferenz or “DSK”) published minutes from its meetings held in November 2020 (available here, in German). The minutes include discussions about how the German SAs plan to enforce the recent Schrems II ruling of the Court of Justice of the European Union (“CJEU”). Notably, the Berlin SA (coordinator of the DSK’s Schrems II task force) sought consensus to ensure a joint enforcement approach.
Continue Reading German Supervisory Authorities Plan to Circulate Questionnaires on Personal Data Transfers in Wake of Schrems II Decision
EDPB Publishes Draft Guidelines on Data Breach Notification Examples
On January 18, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 01/2021 on Examples regarding Data Breach Notification (“Guidelines”) (available here). The Guidelines aim to assist data controllers in responding to and assessing the risk of personal data breaches, providing “practice-oriented, case-based guidance” which draws from the experiences of European supervisory authorities since the EU General Data Protection Regulation (“GDPR” or “Regulation”) went into effect in 2018.
The Guidelines are currently open for public consultation until March 2, 2021. In this blog post, we summarize a few key takeaways from the Guidelines.Continue Reading EDPB Publishes Draft Guidelines on Data Breach Notification Examples
Spanish Supervisory Authority Issues Guidance on Auditing Data Processing Activities Involving Artificial Intelligence
On January 12, 2020, the Spanish Supervisory Authority (“AEPD”) issued guidance on how to audit personal data processing activities that involve Artificial Intelligence (“AI”) (available here, in Spanish). The AEPD’s guidance is directed at data controllers and processors, as well as AI developers, data protection officers (“DPO”), and auditors. The guidance aims to help ensure that products and services which incorporate AI comply with the requirements of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”).
Continue Reading Spanish Supervisory Authority Issues Guidance on Auditing Data Processing Activities Involving Artificial Intelligence
EDPB and EDPS Release Joint Opinion on Draft EU Standard Contractual Clauses
Posted in EU Data Protection, European Union
On January 19, 2021, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint opinion on the draft standard contractual clauses for international data transfers (“draft SCCs”) published by the European Commission (“EC”) on November 12, 2020, including a marked-up version of the clauses.
Continue Reading EDPB and EDPS Release Joint Opinion on Draft EU Standard Contractual Clauses
New Guidelines for Companies from German Supervisory Authority (DPA-BW) following Schrems II
On September 7, 2020, the German data protection supervisory authority for Baden-Wuerttemberg (“DPA-BW”) released new guidelines following the Schrems II judgment on how companies should transfer data to third countries. For a more in-depth summary of the CJEU’s Schrems II decision, please see our previous blog post here and our audiocast episode here.
Continue Reading New Guidelines for Companies from German Supervisory Authority (DPA-BW) following Schrems II