In January , tech giant Google was imposed with a EUR 50 million fine for breaching the GDPR, and since then more than 150 fines were issued by national supervisory authorities. In comparison, less than 20 fines were made public in 2018.
Although the fine imposed on Google was all-time high, in July, the British DPA imposed a fine twice as high on the hotel group Marriott International (EUR 110 million) and a fine four times as high on British Airways (EUR 204.6 million).
In contrast to the rest of the EU, in Denmark (and Estonia) only the courts – and not the DPA – may issue fines. However, this has not prevented the Danish DPA from recommending fines for millions being issued. In March , the DPA recommended that Taxa 4x35 be imposed with a fine of DKK 1.2 million, and in June that IDdesign A/S be imposed with a fine of DKK 1.5 million. In addition, the DPA has criticised a number of companies for not complying with the GDPR.
Processing of personal data by private individuals is most often exempted from the GDPR, as the GDPR does not apply to processing of personal data by physical individuals when done as part of entirely personal or family activities. Nevertheless, in October, the District Court of Frederiksberg imposed a DKK 15,000 fine on a 31-year-old man, who without any lawful basis for processing had shared the name and photo of a person convicted as rapist.The decision, which was the first court decision in Denmark, proves that physical individuals can also be fined under the GDPR.
While in 2018 the GDPR was paced into all companies through the preparation of policies, guidelines and data processing agreements, 2019 became the year where the supervisory authorities seriously began acting on whether companies had completed this work. The many decisions in 2019 seemed to focus in particular on companies without any legal basis at all for processing data or on companies without any sufficient grounds for processing data. There were especially many cases pertaining to non-conforming consents, which was possibly the reason why the DPA in September 2019 updated its guidelines regarding consent. The 2019 decisions also pounced on companies for not implementing adequate technical and organisational measures thereby allowing unauthorised persons access to personal data processed by a company.
During 2019, the Danish DPA issued new and updated guidelines providing support in the interpretation of the GDPR.
Already in 2018, the DPA issued a template for a data processing agreement. Under the GDPR, the DPA has the option of adopting so-called standard contractual clauses, entailing that such shall be specifically and legally binding. However, the adoption of such standard clauses shall be made in cooperation with the other EU supervisory authorities, among others, to ensure a uniform application of the rules across the EU.
In 2019, the Danish DPA took the first move in this respect, and on the basis of an opinion from the European Data Protection Board, the DPA amended its template for data processing agreements, and as at 10 December 2019 the template appears as a standard clause.
Nevertheless, the amendment does not entail that companies are obliged to use the template. Companies may continue to draw up their own data protection agreements as long as they comply with the requirements of Article 28 of the GDPR. However, if companies use a standard data processing agreement, the DPA will not review the clauses of such, for example in connection with an inspection visit.
Initially, the intention was for the ePrivacy Regulation to enter into force at the same time as the GDPR on 25 May 2018. Meanwhile, it was then not possible to agree on the wording of the Regulation, and now it seems as if this task is a lot more difficult that anticipated at first.
The Presidency of the Council of the EU has worked flat out to draw up a draft for all Member States to agree on, but none successfully. For example, during the past six months, the Finnish Presidency of the Council of the EU has produced no less than eight drafts.
It will be interesting to learn if the disagreements can be solved this year either under the Croatian Presidency (1 January-30 June) or the German Presidency (1 July-31 December), in order for a more up-to-date regulation of ePrivacy to apply.
Holst, Advokater wishes you all the best in 2020. We provide advice to clients on all matters pertaining to data protection and assist in the preparation or review of current data protection policies, data processing agree-ments, etc. in order to ensure compliance with applicable legislation.