GDPR Regulations begin to bite
We are now beginning to see the impact of the GDPR regulations across politics, businesses and public services. With the upcoming UK general election, the ICO is issuing timely reminders. In Europe we are starting to see large fines being levied for GDPR breaches.
ICO Issues Letter to UK Political Parties
In a timely reminder the Information Commissioner has written to 13 political parties in the UK. The letter reminds them of their legal obligations regarding the use of Personal Data in the lead-up to the General Election. The ICO letter highlights the need for parties to:
provide individuals with clear and accessible information about how their personal data is being used. This includes
data obtained directly from individuals
data obtained from third parties, including data brokers
inferred data – ie data that is inferred from observed behaviour, such as reading or buying habits, responses to advertising and so on
- demonstrate compliance with the law. The scope here includes any third-party data processors. For political parties, this specifically includes data analytics providers and online campaigning platforms
- have the appropriate records of consent from individuals (where consent is the legal basis for processing) to send political messages through electronic channels (texts, emails)
- identify lawful bases for processing special category data, such as political opinions and ethnicity.
This places political parties on the same basis as commercial organisations under UK law.
Record Fine in Austria
The Austrian Data Protection Authority has imposed an €18 million fine on the Austrian Postal Service, Österreichische Post AG (“ÖPAG”). After an investigation, the Austrian DPA established that ÖPAG processed and sold data regarding its customers’ political allegiances amongst other violations.This is a violation of the GDPR.
The fine is subject to an appeal.
Record Fine in Germany
On November 5, 2019, the Berlin Commissioner for Data Protection and Freedom of Information announced that it had imposed the highest fine issued in Germany since the EU GDPR became applicable. Deutsche Wohnen SE, a real estate company, was fined €14.5 million.
After onsite inspections, the Berlin Commissioner noticed the company was retaining personal data of tenants for an unlimited period. It had not examined whether the retention was legitimate or necessary.
Data should be removed without delay. once it is no longer needed for the specific purpose for which it was collected. Deutsche Wohnen SE was using an archiving system that did not enable the removal of such data. Affected data related to financial and personal circumstances, such as bank statements, training contracts, tax, social and health insurance data.
This fine should act as a strong reminder to all companies to review and update their data retention and deletion policies, processes and supporting procedures.