For almost everybody in the business world in Europe, but especially for company managers, HR leaders, marketing staff and legal experts, one of the biggest issues of last year was the General Data Protection Regulation of the European Union. The GDPR has been mandatory and directly applicable in all Member States from 25 May 2018. Legal experts of Sorainen Latvia, the Latvian partnerfirm of WTS Global collected some cases of violation of personal data from various EU-States, the imposed fines and the main conclusions.
In three weeks, the first year will have passed since the General Data Protection Regulation of the EU came into force. It means among others that companies had to arrange documentation and data processing procedures in line with GDPR requirements by this date.
What lessons should we learn from mistakes made by others?
Preparing for the General Data Protection Regulation was partly driven by the heavy fines, which have been a hot topic of discussion, not least the maximum fine of up to EUR 20 million or up to 4% of turnover in the case of a company. Have concerns about these huge fines been reasonable? Several EU Member States have already reported on the first fines imposed.
Assessment of these fines and related violations can help eliminate remaining deficiencies in data processing procedures. With that in mind, we have collected the main conclusions from these decisions. The conclusions are especially dedicated for companies operating in Latvia but can be useful for data controllers in other countries too.
Excessive video surveillance: violation of the General Data Protection Regulation in Austria
Fine: EUR 4,800
A fine was imposed on a sports café that kept the public area (pavements, car park, café entrance) under video surveillance. The section of the public area covered by video surveillance was not proportional to the purpose of data processing. The section under video surveillance did not display any notifications about video surveillance. The storage term for keeping video records was not observed in compliance with Austrian national regulatory enactments (the GDPR allows each Member State to determine this term individually).
What can we learn from this situation?
Video cameras. A controller of video surveillance must have clearly defined data processing purposes (for example, monitoring the production process, security, crime prevention, access control, and others). Camera coverage must be proportional to the set purpose.
Signs about video surveillance. The controller must inform data subjects about data processing by providing all the information listed in Article 13 of the General Data Protection Regulation about data processing, its term, data subjects’ rights, and so on. In the case of video surveillance, the information must be provided before anyone enters the area covered by video surveillance. To achieve this target, information signs serve pretty well. In Latvia, the legislator allows controllers to choose whether to use a video surveillance sign for notification or some other means, for example, a poster with all the required information. Under the Personal Data Processing Law, a video surveillance sign must provide at least the controller’s name, contact information, purpose of data processing, and an indication where to find other information listed in Article 13 of the General Data Protection Regulation (eg, a home page to access or a phone number to call).
“Dead souls” in the data processing system: violation of the General Data Protection Regulation in Portugal
Fine: EUR 200,000
A fine has been imposed on a hospital for non-compliance with the fundamental principles of data processing, failure to apply appropriate technical and organisational measures and inability to ensure observance of the principles of information security. The hospital did not have documentation on granting user rights to the users of its data processing system. The system had recorded 985 active doctor profiles, although the actual number of doctors employed was as small as 296. Nine technical employees were granted as broad access rights to patient data as were medical personnel. In this case, imposition of a heavy fine was also affected by the fact that the controller processed medical data that are considered as an increased risk data category.
What can we learn from this situation?
Recording. Accountability is one of the fundamental principles of the General Data Protection Regulation. This principle means that the controller must ensure the option to verify how the information system works, how access rights are granted and denied, and how GDPR principles are ensured.
Deactivation of user profiles. Controllers sometimes violate the rules by failing to deactivate profiles of ex-employees. So, when ending employment, employers must always remember to deactivate former users’ accounts immediately afterwards.
Minimising. Another significant principle of the General Data Protection Regulation is data minimisation, namely, processing is “limited to what is necessary”. So, upon configuring rights to access the data base, it is important that extensive rights to access, enter, correct, and delete information are granted only to employees whose working duties include these operations.