FIRST PRIVACY | Amsterdam

𝗕𝗲𝗹𝗴𝗶𝗮𝗻 𝗗𝗣𝗔 𝗶𝗺𝗽𝗼𝘀𝗲𝘀 €𝟰𝟱,𝟬𝟬𝟬 𝗳𝗶𝗻𝗲 𝗳𝗼𝗿 𝗚𝗗𝗣𝗥 𝘃𝗶𝗼𝗹𝗮𝘁𝗶𝗼𝗻𝘀 ⚖ A company improperly collected and processed biometric data – specifically, fingerprints – from employees for time registration. Despite relying on consent as the legal basis for this sensitive data processing, the company failed to demonstrate that consent was freely given. Employees were not offered any alternatives, violating their rights under the GDPR. 𝗞𝗲𝘆 𝘃𝗶𝗼𝗹𝗮𝘁𝗶𝗼𝗻𝘀 𝗶𝗱𝗲𝗻𝘁𝗶𝗳𝗶𝗲𝗱 𝗯𝘆 𝘁𝗵𝗲 𝗕𝗲𝗹𝗴𝗶𝗮𝗻 𝗗𝗣𝗔 𝗶𝗻𝗰𝗹𝘂𝗱𝗲: ➡ failing to establish clear purposes for collecting biometric data; ➡ not adhering to the data minimization principle, as fingerprint data was deemed unnecessary for time tracking; ➡ lack of transparency in informing employees about how their data was being stored and used. 💡 Companies must ensure full compliance when processing sensitive data. Missteps in consent collection or transparency can lead to significant penalties. #DataProtection #Privacy #BiometricData #SensitiveData

A recent case highlights the importance of compliance with Article 32 of GDPR. The 𝗦𝘄𝗲𝗱𝗶𝘀𝗵 𝗗𝗣𝗔 fined the pharmacy chain Apoteket AB approximately €𝟯.𝟮 𝗺𝗶𝗹𝗹𝗶𝗼𝗻 for mishandling personal data through an erroneous use of Meta’s pixel on its website. 🔓 𝗛𝗼𝘄 𝗱𝗶𝗱 𝘁𝗵𝗲 𝗱𝗮𝘁𝗮 𝗯𝗿𝗲𝗮𝗰𝗵 𝗼𝗰𝗰𝘂𝗿? From 2017, the 𝗠𝗲𝘁𝗮 𝗽𝗶𝘅𝗲𝗹 was used to track marketing performance on Instagram and Facebook. However, an employee wrongly activated the pixel’s Advanced Matching feature without proper authorization, leading to a larger transfer of 𝗵𝗮𝘀𝗵𝗲𝗱 𝗽𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗱𝗮𝘁𝗮, including sensitive information such as customer names, contact details, and even social security numbers! The pixel inadvertently collected data for over 930,000 users, far beyond the intended scope. The data was shared with Meta, which had limited capacity to delete the records. ✅ 𝗖𝗼𝗿𝗿𝗲𝗰𝘁𝗶𝘃𝗲 𝗺𝗲𝗮𝘀𝘂𝗿𝗲𝘀 Apoteket AB swiftly took corrective action by disabling the pixel and notifying the Swedish DPA. They also implemented new measures, including enhanced screening of cookie settings and e-learning courses for the staff, but the DPA still found shortcomings in risk management and technical safeguards. ➡ This incident underscores the high stakes of data protection in the digital era. It’s a crucial reminder for all organizations to ensure they have robust compliance processes in place. #DataProtection #MetaPixel #Tracking #GDPR

The Dutch DPA has imposed a significant fine of €𝟯𝟬.𝟱 𝗺𝗶𝗹𝗹𝗶𝗼𝗻 on Clearview AI for serious violations of the GDPR. 🔓 Clearview, an American company known for its facial recognition services, has built an 𝗶𝗹𝗹𝗲𝗴𝗮𝗹 𝗱𝗮𝘁𝗮𝗯𝗮𝘀𝗲 containing billions of photos scraped from the internet, including those of Dutch citizens - without their knowledge or consent. 🚫 Clearview’s practices pose a severe threat to privacy. With 𝗼𝘃𝗲𝗿 𝟯𝟬 𝗯𝗶𝗹𝗹𝗶𝗼𝗻 𝗶𝗺𝗮𝗴𝗲𝘀 in its database, anyone with a photo online could be unknowingly tracked. The Dutch DPA has made it clear: Using Clearview’s services is illegal and organizations that do so may face hefty fines. ➡ 𝗧𝗵𝗲 𝗗𝘂𝘁𝗰𝗵 𝗗𝗣𝗔’𝘀 𝗮𝗰𝘁𝗶𝗼𝗻 𝗶𝘀 𝗮 𝘀𝘁𝗿𝗼𝗻𝗴 𝗺𝗲𝘀𝘀𝗮𝗴𝗲: European citizens' privacy rights must be respected, and companies cannot bypass GDPR regulations without facing serious consequences.

𝗗𝘂𝘁𝗰𝗵 𝗗𝗣𝗔 𝗳𝗶𝗻𝗲𝘀 𝗨𝗯𝗲𝗿 𝗮𝗴𝗮𝗶𝗻 – 𝘁𝗵𝗶𝘀 𝘁𝗶𝗺𝗲 𝘁𝗵𝗲 𝗳𝗶𝗻𝗲 𝗮𝗺𝗼𝘂𝗻𝘁𝘀 𝗮 𝗵𝗲𝗳𝘁𝘆 𝟮𝟵𝟬 𝗺𝗶𝗹𝗹𝗶𝗼𝗻 𝗲𝘂𝗿𝗼𝘀. 💶 After the company was fined €10 million by the Dutch authority for data protection violations as recently as 2023, a new record has been set. 𝗧𝗵𝗲 𝗿𝗲𝗮𝘀𝗼𝗻 𝗯𝗲𝗵𝗶𝗻𝗱 𝘁𝗵𝗲 𝗳𝗶𝗻𝗲: The Dutch Data Protection Authority found that Uber transferred personal data of European taxi drivers to the United States (USA) and failed to adequately protect the data during these transfers. 🔓 Among other things, Uber collected sensitive data of European drivers, including account details, taxi licences, location data, photos, payment details, identity documents, and in some cases even criminal and medical information, and stored it on US servers. In 2 year period Uber transferred the data without using transfer tools or Standard Contractual Clauses (SCCs). Since the end of last year, the company uses the EU-US Data Protection Framework and therefore has ended the GDPR violation. ⚖ #DataProtection #Privacy #GDPR #Uber Find the Dutch DPA’s press release in the comments  ⬇

𝗜𝘀 𝗬𝗼𝘂𝗿 𝗖𝗼𝗺𝗽𝗮𝗻𝘆 𝗥𝗲𝗮𝗱𝘆 𝗳𝗼𝗿 𝘁𝗵𝗲 𝗘𝗨 𝗔𝗜 𝗔𝗰𝘁? AI is transforming the way we do business, but with innovation comes responsibility. As of August 1st, 2024, the EU AI Act entered into force, bringing new legal obligations to companies that develop or use AI systems. Whether you realize it or not, your business is likely impacted by this regulation. ⚖ 𝗪𝗵𝗮𝘁 𝗶𝘀 𝘁𝗵𝗲 𝗘𝗨 𝗔𝗜 𝗔𝗰𝘁? This groundbreaking law ensures that AI systems used in Europe are safe, fair, and respect fundamental rights. It's not just about compliance, it's about protecting your customers and your business. 𝗗𝗼𝗲𝘀 𝗧𝗵𝗶𝘀 𝗔𝗽𝗽𝗹𝘆 𝘁𝗼 𝗬𝗼𝘂? If your company uses AI – be it in CRM systems, HR tools, or fraud detection algorithms – you must comply. Ignoring this could result in hefty fines, up to €35 million or 7% of your annual global income. 𝗡𝗲𝘅𝘁 𝗦𝘁𝗲𝗽𝘀: Start by conducting an initial assessment of your AI systems. Identify and document what you’re using, and understand the specific obligations tied to each system. Compliance doesn’t have to be overwhelming, by taking a structured, calm approach we will help you stay ahead. Contact us to start your compliance journey! 📧☎ 🔗 Get more information in our blog article: https://lnkd.in/eXMVcZwe #ArtificialIntelligence #AIAct #EU #DataProtection

🚨 𝗦𝘄𝗶𝘀𝘀-𝗨.𝗦. 𝗗𝗮𝘁𝗮 𝗧𝗿𝗮𝗻𝘀𝗳𝗲𝗿𝘀: 𝗡𝗲𝘄 𝗙𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸 𝘀𝗼𝗹𝘃𝗲𝘀 𝗣𝗿𝗶𝘃𝗮𝗰𝘆 𝗛𝗮𝘀𝘀𝗹𝗲𝘀, 𝗳𝗶𝗻𝗮𝗹𝗹𝘆! 🚨 Starting September 15, 2024, transferring personal data from Switzerland to the United States will become significantly easier, thanks to a new framework approved by the Swiss Federal Council. This marks a significant shift, allowing these data transfers to rely on an adequacy decision rather than the more complex Standard Contractual Clauses (SCCs). ➡ Read more about the new Swiss-US Data Privacy Framework in our blog article: https://lnkd.in/dQe5Cnzw #DataProtection #Datatransfers #SwissUSDPF

The Dutch Data Protection Authority (AP) sounded the alarm on data breaches linked to the use of 𝗮𝗿𝘁𝗶𝗳𝗶𝗰𝗶𝗮𝗹 𝗶𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲 (𝗔𝗜). 🛡️ The AP revealed that employees using AI chatbots without proper authorization have led to several data breaches. For example, a GP practice employee shared sensitive patient medical data with a chatbot—a clear violation of employer policy. Similarly, a telecoms company reported that an employee entered customer addresses into a chatbot, risking data security. 𝗞𝗲𝘆 𝗧𝗮𝗸𝗲𝗮𝘄𝗮𝘆𝘀: ✅ Organizations must establish clear guidelines and agreements with employees regarding the use of AI tools. ✅ Even when AI use is permitted, it’s crucial to define what types of data are allowed to be entered. In today's fast-paced digital landscape, data protection is more critical than ever. Let's ensure that AI works for us, not against us. 🤝 #DataProtection #AI #Chatbots #AIAct

TikTok has been fined £𝟭.𝟴𝟳𝟱 𝗺𝗶𝗹𝗹𝗶𝗼𝗻 𝗯𝘆 𝗢𝗳𝗰𝗼𝗺, the regulator and competition authority for the UK communications industries, for failing to provide accurate information about its parental controls, significantly disrupting the publication of Ofcom's child safety transparency report. 📊 Ofcom's investigation revealed several failings in TikTok’s data governance processes. The company initially provided inaccurate data and then took more than three weeks to inform Ofcom of the error, despite knowing the importance of this information for the imminent transparency report. This delay forced Ofcom to remove details of TikTok’s parental controls from the report, hindering efforts to promote transparency and protect children online. ⏰ Accurate data is essential for regulators like Ofcom to effectively monitor platforms and ensure child safety. While TikTok has since committed to improving its internal processes and providing accurate information, the heavy fine reflects TikTok's failure to meet its regulatory obligations. Nonetheless, significant weight was given to TikTok’s proactive self-reporting of the error and its steps to enhance data governance. 💡 𝗢𝘂𝗿 𝗧𝗮𝗸𝗲𝗮𝘄𝗮𝘆: Robust data governance is indispensable in protecting users and maintaining trust. Companies must prioritize accuracy and transparency to comply with regulations and safeguard their users. #DataProtection #ChildSafety #TikTok #Ofcom

A court in Luxembourg recently upheld a fine of €18,000 imposed by the CNPD against a company for failing to properly involve its Group Data Protection Officer (DPO) in critical data protection matters and not providing adequate resources. ⚖ The investigation revealed that the Group DPO was not directly engaged in local GDPR-related activities, violating Article 38(1) and Article 39 GDPR.   Even though, the company had established a GDPR Board, the Group DPO was not a member of it and informed only via protocols and a local contact. The court emphasized that DPOs must be involved early in data protection issues to comply with Article 39(1) GDPR. ⏰ Furthermore, the court found that the local contact point’s efforts were insufficient given the scale of the company's operations in Luxembourg (70 sites, 1600-2100 employees, and 25,000 daily consumers), breaching Article 38(2) GDPR. The company's arguments that the CNIL, which investigated the parent company and other entities in France, found no issues, were dismissed. The court maintained that these did not mitigate the established breaches. 💡 Key Takeaway: Ensuring your DPO is directly involved and adequately resourced is not just best practice, it's a legal necessity! #DataProtection #Privacy #DPO #Luxembourg

The Dutch Data Protection Authority (AP) has imposed a €600,000 fine on AS Watson (Health & Beauty Continental Europe) B.V., the controller of Kruidvat, for placing tracking cookies before obtaining consent. Key Findings: ➡ Non-compliance with Consent Requirements: The DPA found that Kruidvat placed tracking cookies before obtaining user consent. In doing so, the company processed personal data unlawfully, infringing Article 6(1) GDPR and Article 5(1)(a) GDPR. ➡ Invalid Consent Mechanism: A pre-ticked box for accepting tracking cookies was used, which does not meet the GDPR standards for freely given, specific, informed, and unambiguous consent. This case underscores the critical importance of adhering to GDPR guidelines in consent mechanisms. ⚖ #DataProtection #Cookies #ConsentBanner #Tracking