SlideShare a Scribd company logo

GDPR enforcement 10.10.2019

A
Anastasiia Konoplova

Presentation of reseach of GDPR enforcement practice, based on information of 86 cases, vailaible publicly. The event, where the research was presented, has taken place in Kyiv, Ukraine on October, 10, 2019.

Data & Analytics
1 of 34
Download to read offline
GDPR Enforcement 1 10.10.2019
Acknowlegements The author of this analysis, Anastasiia Konoplova, wish to thank Irina Ivchenko, Kostyantyn Kulikov, Oleksii Mervinskiy for contribution, subject matter discussion and support; Oleksii Baranovskiy and CyberDn0 team for help with organization of this event; attendees of ISACA Kyiv chapter events for their questions and inspiration. 2
GDPR – Where we are now? http://www.eugdpr.org/the-regulation.html Initial proposal 25.01.2012 Approved by EP 27.04.2016 Full force 24.05.2016 Transition period ended 25.05.2018 95180 complaints to DPA 41502 data breach notifications 255 investigations 3 fines, incl. Google, €50 Mio Data compromise in top business risks Jan 2019 Global enforcement Local legislation First finalized investigations Court proceedings No simple recipes Oct 2019 Rising complexity Rising uncertainty Future https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf Taken decisions Hired/assigned DPO Created/updated policies Data mapping & risk assessment Updated process design Implemented information systems Audits Awareness programs etc Who will be the next? Are we ready? 3
Enforcement: Data challenges Lack of trusted sources Welter of information in media Privacy enforcement more than GDPR enforcement Different national legislations – and languages Heterogeneous data, case-by-case approach 4
Methodology Compare data from different sources Analyze input, try to find primary source Try to validate on DPA site, typically in national language Some statistics of the data set Selection of illustrative cases Insights, not conclusions 5
Enforcement: sources • enforcementtracker.com, provided by CMS Law.Tax: http://www.enforcementtracker.com/ - 81 • https://dataprotectionauditors.com/fines-issued/ -64 • https://www.nathantrust.com/gdpr-fines-penalties - 60 Open source • https://edpb.europa.eu/news/national-news_en - 25 • DPAs sites (national languages)Official • https://iapp.org/resources/global-privacy-and-data-protection- enforcement-database/Proprietary 6
List of decisions of Hellenic DPA, Greece Yearly report 2018 of UOOU, Czech Republic Yearly report 2018 of Garante, Italy Examples of sources for validation 7
Data set 86 cases, 5 under court proceedings • 83 fines • 3 other sanctions Total fines € 372 911 936 • 98,7458% - TOP5 • Median € 10 000 Among sanctions: reprimand, warnings, service ban Fine in data set can consist of GDPR fine, local law fine, procedural costs Figures should be understood as illustrative 8
Count of cases by country 9
Total fines by country* *except of top-5 10
Among victims Sensitive data • Banking&finance • Medical • Public sector, agencies, municipalities • Employers of any sector Large amount • Media • Tech&platforms • Telecom • Infrastructure operators Trade&B2C services: cafe, taxi, stores Private persons 11
Most expensive infringements* *except of top-5 Please, note: classification of infringements is tentative; several articles are violated in most of cases 12
Top-5 of fines, facts British Airways € 204 600 000, not final UNITED KINGDOM 08-07-19, since 09/2018 Art. 32 GDPR Marriott International, Inc € 110 390 200, not final UNITED KINGDOM 09-07-19, since 11/2018 Art. 32 GDPR Google Inc. € 50 000 000 FRANCE 21-01-19, since 05/2018 Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 4 nr. 11 GDPR, Art. 5 GDPR National Revenue Agency € 2 600 000 BULGARIA 28-08-19 Art. 32 GDPR Morele.net € 644 780 POLAND 10-09-19, since 11/2018 Art. 32 GDPR 13
Top-5 of fines, stories British Airways • XSS, 500 000 customers were compromised Incident possibly started in June 2018, was notified in September 2018 • link Marriott International, Inc • Data breach, notified to the ICO in November 2018. 339 million guest records globally were exposed by the incident. It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. link Google Inc. • The complaints concerned the creation of a Google account during the configuration of a mobile phone using the Android operating system. The obtained consents had not been given "specific" and not "unambigous" • link National Revenue Agency • Data of 6 074 140 persons were publicly available, including contact data along with financial declarations and income data • link Morele.net • Operations of 11 internet store • 2 incidents, data breach and few services compromised, notified in 11/2018, 12/2018 • data of 2 200 000 customers were possibly imposed • Some clients received SMS informing them that an additional fee of PLN 1 was required to complete the order. The message contained a link to a fake DotPay electronic payment gateway. • link 14
Illustrative cases Data processor in Poland 219 538 Euro processed data from public sources for commercial purpose without consent and proper information School in Skellefteå, Sweden 18 630 Euro consent, obtained from students was not a valid legal basis given the clear imbalance between the data subject and the controller Telecom in Bulgaria 27 100 Euro repeated registration of prepaid services without the knowledge and consent of the data subject Merchant in Belgium 10 000 Euro wanted to use eID to create a customer card Private person in Germany 2 000 Euro sent several e-mails with open mailing list (CC, not BCC). 15
Illustrative cases - 1 Data processor in Poland • the company did not meet the information obligation in relation to over 6 million people. Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data. • company processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e- mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. • In the opinion of the President of the Personal Data Protection Office, such action was insufficient – while having the contact data to particular persons, the controller should have fulfilled the information obligation in relation to them, that is it should have informed them inter alia on: their data, the source of their data, the purpose and the period of the planned data processing, as well as the data subjects’ rights under the GDPR. . https://uodo.gov.pl/en/553/1009 16
Illustrative cases - 2 School in Skellefteå, Sweden • A school in northern Sweden has conducted a pilot using facial recognition to keep track of students’ attendance in school. • The test run was conducted in one school class for a limited period of time. • The school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA. • The school has based the processing on consent but the Swedish DPA considers that consent was not a valid legal basis given the clear imbalance between the data subject and the controller. . https://www.datainspektionen.se/nyheter/sanktionsavgift-for-ansiktsigenkanning-i-skola/ 17
Illustrative cases - 3 Telecom in Bulgaria • Employees of the telecommunications provider have used personal data and registered the complainant with the company's prepaid service. The data subject had not signed the application and had not consented to the processing of his personal data for the stated purpose. There was also no other legal basis applicable. The signature of the application and the complainant own genuine application were not identical and the persons personal identification number was indicated, but the identity card number was not the complainants one. . https://www.cpdp.bg/?p=element_view&aid=2180 18
Illustrative cases - 4 Merchant in Belgium • merchant wanted to use an electronic identity card (eID) to create a customer card. The DPA's investigation revealed that the merchant required access to personal data located on the eID, including the photo and barcode which is linked to the data subject's identification number. . https://www.sudinfo.be/id141981/article/2019-09-19/un-commercant-recu-une-amende-de-10000-euros-pour-avoir-voulu-creer-une-carte-de 19
Illustrative cases - 5 Private person in Germany • a private person who sent several e-mails between July and September 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences between mid-July and the end of July 2018. According to the authority's letter, between 131 and 153 personal mail addresses were identifiable in his mailing list. . https://www.mz-web.de/merseburg/hunderte-adressen-im-verteiler-merseburger-muss-fuer-wut-mails-ueber-2-000-euro-zahlen-32033308 20
Insights from this analysis If you have >1 000 000 customers, security breaches are expensive – and unavoidable Privacy mindset, or Principles first Jurisdiction is REALLY important Think first BEFORE direct marketing Think first before implementation of video surveillance, using of biometrics, properly control blockchain and AI 21
Way to GDPR compliance simple to say, hard to do 22
lawfulness, fairness and transparency purpose limitation data minimization accuracy storage limitation integrity and confidentiality GDPR, Article 5 GDPR = Principles 23
GDPR Compliance = Principles Compliance = Mindset&Culture 24
Privacy Mindset Privacy is MORE important than your profit Profit<Privacy<Common Wealth<National Security<Law<Human Life 2.2 9.2 11 13.4 14.5 17.3 20.3 22.2 23 27.2 30.5 … GDPR, exemptions https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf 25
Controller & Processor obligations Data protection by design and by default Representatives of controllers or processors not established in the Union Records of processing activities Cooperation with the supervisory authority Security of processing Notification of a personal data breach to the supervisory authority Communication of a personal data breach to the data subject Data protection impact assessment Designation of the data protection officer Codes of conduct Articles 25-39 26 *Fines for violations of selected obligations were found in data set
Are we compliant? Once implemented, does our compliance plan reflect privacy mindset? Is this mindset properly articulated in the Code of Conduct? Are adopted policies consistent and clear? How can we confirm compliance with these policies? How these policies are reflected in every day decisions of every employee? …Is our culture lawful, fair and transparent? Maturity level 27
Practice example Security by design for software development 28
29 Privacy by Design @ Software Development • Privacy by Design is a combination of - Privacy Assessment, SDLC for a software development stream - Privacy Assessment, PMM for a project management stream Secure Development Life Cycle (SDLC) Software Development Project Management Privacy Assessment Privacy by Design Project Management Methodology (PMM)
30 Privacy by Design @ Software Development Privacy Assessments + Define Requirements Risk assessment + Coding Quality Assurance Deploy Security & Privacy monitoring Product Documents + Privacy Assessments Source code Risk Reports Application scans QA reports Inventory tool Log review + ASV scans Phase Process Artifacts Concept & Planning Construction Acceptance Deploy Maintenance
Tools of continuous [GDPR] compliance Code of conduct Clear rules, aligned with remuneration policy Awareness program, integrated with corporate education Regular polls Proper feedback culture 31
Guidance from DPAs, sample • National legislation differences https://www.uoou.cz/en/assets/File.ashx?id_org=200156&id_dokumenty=1174 • Basics for SME https://www.uoou.cz/en/assets/File.ashx?id_org=200156&id_dokumenty=1545 • Online services https://edpb.europa.eu/our-work-tools/public-consultations/2019/guidelines- 22019-processing-personal-data-under-article-61b_en • Video surveillance https://edpb.europa.eu/our-work-tools/public-consultations/2019/guidelines- 32019-processing-personal-data-through-video_en • Blockchain https://www.cnil.fr/sites/default/files/atoms/files/blockchain.pdf • Artificial intelligence and privacy https://www.datatilsynet.no/globalassets/global/english/ai-and-privacy.pdf 32
Links EDPB work program https://edpb.europa.eu/about-edpb/about-edpb/work-program_en EC Awareness Library https://ec.europa.eu/commission/priorities/justice-and-fundamental- rights/data-protection/2018-reform-eu-data-protection-rules_en#library Resources from ISACA http://www.isaca.org/info/gdpr/index.html GDPR compliance self-assessment tool https://gdprassessment.isaca.org/ Our translation into Ukrainian https://www.slideshare.net/AnastasiiaKonoplova/gdpr-isaca-kyiv-chapter 33
Let`s Join! https://www.facebook.com/Kyiv.ISACA/ Anastasiia Konoplova CISA, CISA Trainer President ISACA Kyiv a.konopleva@isaca.org.ua +38(050)9570596 34

Recommended

Gov belgium id
Gov belgium idGov belgium id
Gov belgium idfadliwiryawirawan
 
BEEP 's GDPR in bullets v1 2
BEEP 's GDPR in bullets v1 2BEEP 's GDPR in bullets v1 2
BEEP 's GDPR in bullets v1 2Stefan Schippers
 
BEEP's GDPR in bullets v1.3
BEEP's GDPR in bullets v1.3BEEP's GDPR in bullets v1.3
BEEP's GDPR in bullets v1.3Stefan Schippers
 
AstraZeneca - Transparency register EU
AstraZeneca - Transparency register EUAstraZeneca - Transparency register EU
AstraZeneca - Transparency register EUThierry Debels
 
Brexit Questions & Answers
Brexit Questions & AnswersBrexit Questions & Answers
Brexit Questions & AnswersKarolina Gizela Peret, MSc in E. Eng.
 
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...Feroot
 
Is Poland Ready for GDPR?
Is Poland Ready for GDPR? Is Poland Ready for GDPR?
Is Poland Ready for GDPR? GKR Legal Gołębiowska Krawczyk Roszkowski & Partners
 
Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...
Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...
Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...Alexander Loechel
 

Recommended

Gov belgium id
Gov belgium idGov belgium id
Gov belgium idfadliwiryawirawan
 
BEEP 's GDPR in bullets v1 2
BEEP 's GDPR in bullets v1 2BEEP 's GDPR in bullets v1 2
BEEP 's GDPR in bullets v1 2Stefan Schippers
 
BEEP's GDPR in bullets v1.3
BEEP's GDPR in bullets v1.3BEEP's GDPR in bullets v1.3
BEEP's GDPR in bullets v1.3Stefan Schippers
 
AstraZeneca - Transparency register EU
AstraZeneca - Transparency register EUAstraZeneca - Transparency register EU
AstraZeneca - Transparency register EUThierry Debels
 
Brexit Questions & Answers
Brexit Questions & AnswersBrexit Questions & Answers
Brexit Questions & AnswersKarolina Gizela Peret, MSc in E. Eng.
 
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...Feroot
 
Is Poland Ready for GDPR?
Is Poland Ready for GDPR? Is Poland Ready for GDPR?
Is Poland Ready for GDPR? GKR Legal Gołębiowska Krawczyk Roszkowski & Partners
 
Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...
Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...
Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...Alexander Loechel
 
Privacy and data protection in credit scoring
Privacy and data protection in credit scoring Privacy and data protection in credit scoring
Privacy and data protection in credit scoring Bart Van Den Brande
 
Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016 Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016 Dr. Donald Macfarlane
 
Patent, Trademark, Industrial Design in Vietnam, Cambodia, Laos & Myanmar
Patent, Trademark, Industrial Design in Vietnam, Cambodia, Laos & MyanmarPatent, Trademark, Industrial Design in Vietnam, Cambodia, Laos & Myanmar
Patent, Trademark, Industrial Design in Vietnam, Cambodia, Laos & MyanmarNguyen Hoa Binh (Bill)
 
Esc Rennes gdpr oct 2018
Esc Rennes gdpr oct 2018Esc Rennes gdpr oct 2018
Esc Rennes gdpr oct 2018Prof. Jacques Folon (Ph.D)
 
GDPR training
GDPR training GDPR training
GDPR training ASL
 
Vlaamse Landmaatschappij reist voor miljoen euro wereld rond
Vlaamse Landmaatschappij reist voor miljoen euro wereld rondVlaamse Landmaatschappij reist voor miljoen euro wereld rond
Vlaamse Landmaatschappij reist voor miljoen euro wereld rondThierry Debels
 
2014 Update EU Cyber Law & Authentication Legislation
2014 Update EU Cyber Law & Authentication Legislation2014 Update EU Cyber Law & Authentication Legislation
2014 Update EU Cyber Law & Authentication LegislationMartenLinkedin
 
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...Dr. Oliver Massmann
 
IAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulationIAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulationIAB Europe
 
2012-Oct: Effect of EU cookie law on US organisations
2012-Oct: Effect of EU cookie law on US organisations2012-Oct: Effect of EU cookie law on US organisations
2012-Oct: Effect of EU cookie law on US organisationsPhil Pearce
 
NMBS besteedt 18,7 miljoen euro aan reclamebureau
NMBS besteedt 18,7 miljoen euro aan reclamebureauNMBS besteedt 18,7 miljoen euro aan reclamebureau
NMBS besteedt 18,7 miljoen euro aan reclamebureauThierry Debels
 
Ecc report-cross-border-e-commerce en
Ecc report-cross-border-e-commerce enEcc report-cross-border-e-commerce en
Ecc report-cross-border-e-commerce enAna Smilović
 
Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...BCC - Solutions for IBM Collaboration Software
 
Trade mark registration processes
Trade mark registration processesTrade mark registration processes
Trade mark registration processesRajalingam Balakrishnan
 
CINECA webinar slides: Status Update Code of Conduct: Teaming up & Talking ab...
CINECA webinar slides: Status Update Code of Conduct: Teaming up & Talking ab...CINECA webinar slides: Status Update Code of Conduct: Teaming up & Talking ab...
CINECA webinar slides: Status Update Code of Conduct: Teaming up & Talking ab...CINECAProject
 
GIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataGIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataIAB Europe
 
Report 2017 of EU on Cybercrime in Belgium
Report 2017 of EU on Cybercrime in BelgiumReport 2017 of EU on Cybercrime in Belgium
Report 2017 of EU on Cybercrime in BelgiumThierry Debels
 
Legally Sound in 2019 - Update on Legal Changes in E-Commerce: Martin Hahn (H...
Legally Sound in 2019 - Update on Legal Changes in E-Commerce: Martin Hahn (H...Legally Sound in 2019 - Update on Legal Changes in E-Commerce: Martin Hahn (H...
Legally Sound in 2019 - Update on Legal Changes in E-Commerce: Martin Hahn (H...Smart E-Commerce Network
 
E-Justice in Central and Eastern Europe
E-Justice in Central and Eastern Europe E-Justice in Central and Eastern Europe
E-Justice in Central and Eastern Europe Hewlett Packard Enterprise Business Value Exchange
 
2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem
2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem
2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-LatemAnn Van den Bunder
 
GDPR Information
GDPR InformationGDPR Information
GDPR InformationOxford City Council
 
Revista Just in Case Țuca Zbârcea & Asociații, Iunie 2016
Revista Just in Case Țuca Zbârcea & Asociații, Iunie 2016Revista Just in Case Țuca Zbârcea & Asociații, Iunie 2016
Revista Just in Case Țuca Zbârcea & Asociații, Iunie 2016Țuca Zbârcea & Asociații
 

More Related Content

What's hot

Privacy and data protection in credit scoring
Privacy and data protection in credit scoring Privacy and data protection in credit scoring
Privacy and data protection in credit scoring Bart Van Den Brande
 
Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016 Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016 Dr. Donald Macfarlane
 
Patent, Trademark, Industrial Design in Vietnam, Cambodia, Laos & Myanmar
Patent, Trademark, Industrial Design in Vietnam, Cambodia, Laos & MyanmarPatent, Trademark, Industrial Design in Vietnam, Cambodia, Laos & Myanmar
Patent, Trademark, Industrial Design in Vietnam, Cambodia, Laos & MyanmarNguyen Hoa Binh (Bill)
 
GDPR training
GDPR training GDPR training
GDPR training ASL
 
Vlaamse Landmaatschappij reist voor miljoen euro wereld rond
Vlaamse Landmaatschappij reist voor miljoen euro wereld rondVlaamse Landmaatschappij reist voor miljoen euro wereld rond
Vlaamse Landmaatschappij reist voor miljoen euro wereld rondThierry Debels
 
2014 Update EU Cyber Law & Authentication Legislation
2014 Update EU Cyber Law & Authentication Legislation2014 Update EU Cyber Law & Authentication Legislation
2014 Update EU Cyber Law & Authentication LegislationMartenLinkedin
 
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...Dr. Oliver Massmann
 
IAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulationIAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulationIAB Europe
 
2012-Oct: Effect of EU cookie law on US organisations
2012-Oct: Effect of EU cookie law on US organisations2012-Oct: Effect of EU cookie law on US organisations
2012-Oct: Effect of EU cookie law on US organisationsPhil Pearce
 
NMBS besteedt 18,7 miljoen euro aan reclamebureau
NMBS besteedt 18,7 miljoen euro aan reclamebureauNMBS besteedt 18,7 miljoen euro aan reclamebureau
NMBS besteedt 18,7 miljoen euro aan reclamebureauThierry Debels
 
Ecc report-cross-border-e-commerce en
Ecc report-cross-border-e-commerce enEcc report-cross-border-e-commerce en
Ecc report-cross-border-e-commerce enAna Smilović
 
CINECA webinar slides: Status Update Code of Conduct: Teaming up & Talking ab...
CINECA webinar slides: Status Update Code of Conduct: Teaming up & Talking ab...CINECA webinar slides: Status Update Code of Conduct: Teaming up & Talking ab...
CINECA webinar slides: Status Update Code of Conduct: Teaming up & Talking ab...CINECAProject
 
GIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataGIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataIAB Europe
 
Report 2017 of EU on Cybercrime in Belgium
Report 2017 of EU on Cybercrime in BelgiumReport 2017 of EU on Cybercrime in Belgium
Report 2017 of EU on Cybercrime in BelgiumThierry Debels
 
Legally Sound in 2019 - Update on Legal Changes in E-Commerce: Martin Hahn (H...
Legally Sound in 2019 - Update on Legal Changes in E-Commerce: Martin Hahn (H...Legally Sound in 2019 - Update on Legal Changes in E-Commerce: Martin Hahn (H...
Legally Sound in 2019 - Update on Legal Changes in E-Commerce: Martin Hahn (H...Smart E-Commerce Network
 
2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem
2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem
2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-LatemAnn Van den Bunder
 

What's hot (20)

Privacy and data protection in credit scoring
Privacy and data protection in credit scoring Privacy and data protection in credit scoring
Privacy and data protection in credit scoring
 
Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016 Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016
 
Patent, Trademark, Industrial Design in Vietnam, Cambodia, Laos & Myanmar
Patent, Trademark, Industrial Design in Vietnam, Cambodia, Laos & MyanmarPatent, Trademark, Industrial Design in Vietnam, Cambodia, Laos & Myanmar
Patent, Trademark, Industrial Design in Vietnam, Cambodia, Laos & Myanmar
 
Esc Rennes gdpr oct 2018
Esc Rennes gdpr oct 2018Esc Rennes gdpr oct 2018
Esc Rennes gdpr oct 2018
 
GDPR training
GDPR training GDPR training
GDPR training
 
Vlaamse Landmaatschappij reist voor miljoen euro wereld rond
Vlaamse Landmaatschappij reist voor miljoen euro wereld rondVlaamse Landmaatschappij reist voor miljoen euro wereld rond
Vlaamse Landmaatschappij reist voor miljoen euro wereld rond
 
2014 Update EU Cyber Law & Authentication Legislation
2014 Update EU Cyber Law & Authentication Legislation2014 Update EU Cyber Law & Authentication Legislation
2014 Update EU Cyber Law & Authentication Legislation
 
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
 
IAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulationIAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulation
 
2012-Oct: Effect of EU cookie law on US organisations
2012-Oct: Effect of EU cookie law on US organisations2012-Oct: Effect of EU cookie law on US organisations
2012-Oct: Effect of EU cookie law on US organisations
 
NMBS besteedt 18,7 miljoen euro aan reclamebureau
NMBS besteedt 18,7 miljoen euro aan reclamebureauNMBS besteedt 18,7 miljoen euro aan reclamebureau
NMBS besteedt 18,7 miljoen euro aan reclamebureau
 
Ecc report-cross-border-e-commerce en
Ecc report-cross-border-e-commerce enEcc report-cross-border-e-commerce en
Ecc report-cross-border-e-commerce en
 
Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...
 
Trade mark registration processes
Trade mark registration processesTrade mark registration processes
Trade mark registration processes
 
CINECA webinar slides: Status Update Code of Conduct: Teaming up & Talking ab...
CINECA webinar slides: Status Update Code of Conduct: Teaming up & Talking ab...CINECA webinar slides: Status Update Code of Conduct: Teaming up & Talking ab...
CINECA webinar slides: Status Update Code of Conduct: Teaming up & Talking ab...
 
GIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataGIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal Data
 
Report 2017 of EU on Cybercrime in Belgium
Report 2017 of EU on Cybercrime in BelgiumReport 2017 of EU on Cybercrime in Belgium
Report 2017 of EU on Cybercrime in Belgium
 
Legally Sound in 2019 - Update on Legal Changes in E-Commerce: Martin Hahn (H...
Legally Sound in 2019 - Update on Legal Changes in E-Commerce: Martin Hahn (H...Legally Sound in 2019 - Update on Legal Changes in E-Commerce: Martin Hahn (H...
Legally Sound in 2019 - Update on Legal Changes in E-Commerce: Martin Hahn (H...
 
E-Justice in Central and Eastern Europe
E-Justice in Central and Eastern Europe E-Justice in Central and Eastern Europe
E-Justice in Central and Eastern Europe
 
2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem
2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem
2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem
 

Similar to GDPR enforcement 10.10.2019

Revista Just in Case Țuca Zbârcea & Asociații, Iunie 2016
Revista Just in Case Țuca Zbârcea & Asociații, Iunie 2016Revista Just in Case Țuca Zbârcea & Asociații, Iunie 2016
Revista Just in Case Țuca Zbârcea & Asociații, Iunie 2016Țuca Zbârcea & Asociații
 
2017 09 13_VOKA The Big Refresh - GDPR - IFORI
2017 09 13_VOKA The Big Refresh - GDPR - IFORI2017 09 13_VOKA The Big Refresh - GDPR - IFORI
2017 09 13_VOKA The Big Refresh - GDPR - IFORIKarel Holst
 
GDPR presentation BE-Com - IFORI
GDPR presentation BE-Com - IFORIGDPR presentation BE-Com - IFORI
GDPR presentation BE-Com - IFORIKarel Holst
 
Data Protection Scotland Summit 2019
Data Protection Scotland Summit 2019Data Protection Scotland Summit 2019
Data Protection Scotland Summit 2019Ray Bugg
 
Lex Cyber Law-Silvana Dode Mobility 2023.pptx
Lex Cyber Law-Silvana Dode Mobility 2023.pptxLex Cyber Law-Silvana Dode Mobility 2023.pptx
Lex Cyber Law-Silvana Dode Mobility 2023.pptxChristinaFortunova
 
EMEA Quarterly Update: GDPR Two Years Later
EMEA Quarterly Update: GDPR Two Years LaterEMEA Quarterly Update: GDPR Two Years Later
EMEA Quarterly Update: GDPR Two Years LaterTrustArc
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
 
Your Big Data Opportunity
Your Big Data OpportunityYour Big Data Opportunity
Your Big Data OpportunityiCrossing
 
Privacy and video surveillance: Advanced technology and best practices protec...
Privacy and video surveillance: Advanced technology and best practices protec...Privacy and video surveillance: Advanced technology and best practices protec...
Privacy and video surveillance: Advanced technology and best practices protec...Salvatore D'Agostino
 
Internet and eCommerce Law Review 2018
Internet and eCommerce Law Review 2018Internet and eCommerce Law Review 2018
Internet and eCommerce Law Review 2018Graham Smith
 
Top 5 Data Rule Breaches in 2023 - Allendevaux
Top 5 Data Rule Breaches in 2023 - AllendevauxTop 5 Data Rule Breaches in 2023 - Allendevaux
Top 5 Data Rule Breaches in 2023 - AllendevauxSourabhKumar32807
 
"Towards Value-Centric Big Data" e-SIDES Workshop - "Safe and secure data mar...
"Towards Value-Centric Big Data" e-SIDES Workshop - "Safe and secure data mar..."Towards Value-Centric Big Data" e-SIDES Workshop - "Safe and secure data mar...
"Towards Value-Centric Big Data" e-SIDES Workshop - "Safe and secure data mar...e-SIDES.eu
 
United Kingdom GDPR Action Taken Against Canadian Company
United Kingdom GDPR Action Taken Against Canadian CompanyUnited Kingdom GDPR Action Taken Against Canadian Company
United Kingdom GDPR Action Taken Against Canadian CompanyBarry Schuman
 

Similar to GDPR enforcement 10.10.2019 (20)

GDPR Information
GDPR InformationGDPR Information
GDPR Information
 
Revista Just in Case Țuca Zbârcea & Asociații, Iunie 2016
Revista Just in Case Țuca Zbârcea & Asociații, Iunie 2016Revista Just in Case Țuca Zbârcea & Asociații, Iunie 2016
Revista Just in Case Țuca Zbârcea & Asociații, Iunie 2016
 
2017 09 13_VOKA The Big Refresh - GDPR - IFORI
2017 09 13_VOKA The Big Refresh - GDPR - IFORI2017 09 13_VOKA The Big Refresh - GDPR - IFORI
2017 09 13_VOKA The Big Refresh - GDPR - IFORI
 
GDPR presentation BE-Com - IFORI
GDPR presentation BE-Com - IFORIGDPR presentation BE-Com - IFORI
GDPR presentation BE-Com - IFORI
 
Data Protection Scotland Summit 2019
Data Protection Scotland Summit 2019Data Protection Scotland Summit 2019
Data Protection Scotland Summit 2019
 
Didier Reynders letter to the EU Parliament
Didier Reynders letter to the EU ParliamentDidier Reynders letter to the EU Parliament
Didier Reynders letter to the EU Parliament
 
GDPR: the new millennium bug?
GDPR: the new millennium bug?GDPR: the new millennium bug?
GDPR: the new millennium bug?
 
Lex Cyber Law-Silvana Dode Mobility 2023.pptx
Lex Cyber Law-Silvana Dode Mobility 2023.pptxLex Cyber Law-Silvana Dode Mobility 2023.pptx
Lex Cyber Law-Silvana Dode Mobility 2023.pptx
 
Day 4 - Meet with BE DPA.pdf
Day 4 - Meet with BE DPA.pdfDay 4 - Meet with BE DPA.pdf
Day 4 - Meet with BE DPA.pdf
 
EMEA Quarterly Update: GDPR Two Years Later
EMEA Quarterly Update: GDPR Two Years LaterEMEA Quarterly Update: GDPR Two Years Later
EMEA Quarterly Update: GDPR Two Years Later
 
Top Violators
Top ViolatorsTop Violators
Top Violators
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
 
Your Big Data Opportunity
Your Big Data OpportunityYour Big Data Opportunity
Your Big Data Opportunity
 
EU Trade Secrets Directive & Data Protection Changes
EU Trade Secrets Directive & Data Protection ChangesEU Trade Secrets Directive & Data Protection Changes
EU Trade Secrets Directive & Data Protection Changes
 
Privacy and video surveillance: Advanced technology and best practices protec...
Privacy and video surveillance: Advanced technology and best practices protec...Privacy and video surveillance: Advanced technology and best practices protec...
Privacy and video surveillance: Advanced technology and best practices protec...
 
Internet and eCommerce Law Review 2018
Internet and eCommerce Law Review 2018Internet and eCommerce Law Review 2018
Internet and eCommerce Law Review 2018
 
Top 5 Data Rule Breaches in 2023 - Allendevaux
Top 5 Data Rule Breaches in 2023 - AllendevauxTop 5 Data Rule Breaches in 2023 - Allendevaux
Top 5 Data Rule Breaches in 2023 - Allendevaux
 
"Towards Value-Centric Big Data" e-SIDES Workshop - "Safe and secure data mar...
"Towards Value-Centric Big Data" e-SIDES Workshop - "Safe and secure data mar..."Towards Value-Centric Big Data" e-SIDES Workshop - "Safe and secure data mar...
"Towards Value-Centric Big Data" e-SIDES Workshop - "Safe and secure data mar...
 
United Kingdom GDPR Action Taken Against Canadian Company
United Kingdom GDPR Action Taken Against Canadian CompanyUnited Kingdom GDPR Action Taken Against Canadian Company
United Kingdom GDPR Action Taken Against Canadian Company
 

More from Anastasiia Konoplova

Shaping future of internal audit with IT
Shaping future of internal audit with ITShaping future of internal audit with IT
Shaping future of internal audit with ITAnastasiia Konoplova
 
Критерії аудиту плана відновлення банка
Критерії аудиту плана відновлення банкаКритерії аудиту плана відновлення банка
Критерії аудиту плана відновлення банкаAnastasiia Konoplova
 
WEF resilience framework for complex organisations
WEF resilience framework for complex organisationsWEF resilience framework for complex organisations
WEF resilience framework for complex organisationsAnastasiia Konoplova
 
Risk management associations review
Risk management associations reviewRisk management associations review
Risk management associations reviewAnastasiia Konoplova
 
Cloud taxonomy and best practices - ISACA Kyiv event, 05.11.2019
Cloud taxonomy and best practices - ISACA Kyiv event, 05.11.2019 Cloud taxonomy and best practices - ISACA Kyiv event, 05.11.2019
Cloud taxonomy and best practices - ISACA Kyiv event, 05.11.2019 Anastasiia Konoplova
 
An argument for budget acceptance:ROSI and how to calculate it
An argument for budget acceptance:ROSI and how to calculate itAn argument for budget acceptance:ROSI and how to calculate it
An argument for budget acceptance:ROSI and how to calculate itAnastasiia Konoplova
 
Cybersec requirements implementation by OKI (KMU 518)
Cybersec requirements implementation by OKI (KMU 518)Cybersec requirements implementation by OKI (KMU 518)
Cybersec requirements implementation by OKI (KMU 518)Anastasiia Konoplova
 
NIST Cloud computing taxonomy - UA translation by ISACA KYIV
NIST Cloud computing taxonomy - UA translation by ISACA KYIVNIST Cloud computing taxonomy - UA translation by ISACA KYIV
NIST Cloud computing taxonomy - UA translation by ISACA KYIVAnastasiia Konoplova
 
ISMS compliance in Ukrainian banks in 2018 - links
ISMS compliance in Ukrainian banks in 2018 - linksISMS compliance in Ukrainian banks in 2018 - links
ISMS compliance in Ukrainian banks in 2018 - linksAnastasiia Konoplova
 
GDPR - переклад українською від ISACA Kyiv Chapter
GDPR - переклад українською від ISACA Kyiv ChapterGDPR - переклад українською від ISACA Kyiv Chapter
GDPR - переклад українською від ISACA Kyiv ChapterAnastasiia Konoplova
 

More from Anastasiia Konoplova (16)

Resilience_Q12022.pdf
Resilience_Q12022.pdfResilience_Q12022.pdf
Resilience_Q12022.pdf
 
Shaping future of internal audit with IT
Shaping future of internal audit with ITShaping future of internal audit with IT
Shaping future of internal audit with IT
 
Критерії аудиту плана відновлення банка
Критерії аудиту плана відновлення банкаКритерії аудиту плана відновлення банка
Критерії аудиту плана відновлення банка
 
Third parties of open banking
Third parties of open bankingThird parties of open banking
Third parties of open banking
 
IoT security Q3 2020 overview
IoT security Q3 2020 overview IoT security Q3 2020 overview
IoT security Q3 2020 overview
 
WEF resilience framework for complex organisations
WEF resilience framework for complex organisationsWEF resilience framework for complex organisations
WEF resilience framework for complex organisations
 
Risk management associations review
Risk management associations reviewRisk management associations review
Risk management associations review
 
IS Risk Governance&Management
IS Risk Governance&ManagementIS Risk Governance&Management
IS Risk Governance&Management
 
Cloud taxonomy and best practices - ISACA Kyiv event, 05.11.2019
Cloud taxonomy and best practices - ISACA Kyiv event, 05.11.2019 Cloud taxonomy and best practices - ISACA Kyiv event, 05.11.2019
Cloud taxonomy and best practices - ISACA Kyiv event, 05.11.2019
 
An argument for budget acceptance:ROSI and how to calculate it
An argument for budget acceptance:ROSI and how to calculate itAn argument for budget acceptance:ROSI and how to calculate it
An argument for budget acceptance:ROSI and how to calculate it
 
Cybersec requirements implementation by OKI (KMU 518)
Cybersec requirements implementation by OKI (KMU 518)Cybersec requirements implementation by OKI (KMU 518)
Cybersec requirements implementation by OKI (KMU 518)
 
NIST Cloud computing taxonomy - UA translation by ISACA KYIV
NIST Cloud computing taxonomy - UA translation by ISACA KYIVNIST Cloud computing taxonomy - UA translation by ISACA KYIV
NIST Cloud computing taxonomy - UA translation by ISACA KYIV
 
ISMS compliance in Ukrainian banks in 2018 - links
ISMS compliance in Ukrainian banks in 2018 - linksISMS compliance in Ukrainian banks in 2018 - links
ISMS compliance in Ukrainian banks in 2018 - links
 
Обговорення GDPR
Обговорення GDPRОбговорення GDPR
Обговорення GDPR
 
GDPR - переклад українською від ISACA Kyiv Chapter
GDPR - переклад українською від ISACA Kyiv ChapterGDPR - переклад українською від ISACA Kyiv Chapter
GDPR - переклад українською від ISACA Kyiv Chapter
 
18.05.2017 ISMS - Iryna Ivchenko
18.05.2017 ISMS - Iryna Ivchenko18.05.2017 ISMS - Iryna Ivchenko
18.05.2017 ISMS - Iryna Ivchenko
 

Recently uploaded

꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Callshivangimorya083
 
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort servicejennyeacort
 
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Jack DiGiovanna
 
PKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptxPKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptxPramod Kumar Srivastava
 
办理(Vancouver毕业证书)加拿大温哥华岛大学毕业证成绩单原版一比一
办理(Vancouver毕业证书)加拿大温哥华岛大学毕业证成绩单原版一比一办理(Vancouver毕业证书)加拿大温哥华岛大学毕业证成绩单原版一比一
办理(Vancouver毕业证书)加拿大温哥华岛大学毕业证成绩单原版一比一F La
 
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024thyngster
 
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...Suhani Kapoor
 
Call Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceCall Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceSapana Sha
 
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...dajasot375
 
How we prevented account sharing with MFA
How we prevented account sharing with MFAHow we prevented account sharing with MFA
How we prevented account sharing with MFAAndrei Kaleshka
 
Industrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfIndustrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfLars Albertsson
 
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]📊 Markus Baersch
 
Data Science Jobs and Salaries Analysis.pptx
Data Science Jobs and Salaries Analysis.pptxData Science Jobs and Salaries Analysis.pptx
Data Science Jobs and Salaries Analysis.pptxFurkanTasci3
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfSocial Samosa
 
Dubai Call Girls Wifey O52&786472 Call Girls Dubai
Dubai Call Girls Wifey O52&786472 Call Girls DubaiDubai Call Girls Wifey O52&786472 Call Girls Dubai
Dubai Call Girls Wifey O52&786472 Call Girls Dubaihf8803863
 
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfgstagge
 

Recently uploaded (20)

꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
 
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
 
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
 
PKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptxPKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptx
 
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
 
办理(Vancouver毕业证书)加拿大温哥华岛大学毕业证成绩单原版一比一
办理(Vancouver毕业证书)加拿大温哥华岛大学毕业证成绩单原版一比一办理(Vancouver毕业证书)加拿大温哥华岛大学毕业证成绩单原版一比一
办理(Vancouver毕业证书)加拿大温哥华岛大学毕业证成绩单原版一比一
 
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
 
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
 
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
 
Call Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceCall Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts Service
 
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
 
How we prevented account sharing with MFA
How we prevented account sharing with MFAHow we prevented account sharing with MFA
How we prevented account sharing with MFA
 
Industrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfIndustrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdf
 
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]
 
Data Science Jobs and Salaries Analysis.pptx
Data Science Jobs and Salaries Analysis.pptxData Science Jobs and Salaries Analysis.pptx
Data Science Jobs and Salaries Analysis.pptx
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
 
Dubai Call Girls Wifey O52&786472 Call Girls Dubai
Dubai Call Girls Wifey O52&786472 Call Girls DubaiDubai Call Girls Wifey O52&786472 Call Girls Dubai
Dubai Call Girls Wifey O52&786472 Call Girls Dubai
 
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
 
RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdf
 

GDPR enforcement 10.10.2019

  • 2. Acknowlegements The author of this analysis, Anastasiia Konoplova, wish to thank Irina Ivchenko, Kostyantyn Kulikov, Oleksii Mervinskiy for contribution, subject matter discussion and support; Oleksii Baranovskiy and CyberDn0 team for help with organization of this event; attendees of ISACA Kyiv chapter events for their questions and inspiration. 2
  • 3. GDPR – Where we are now? http://www.eugdpr.org/the-regulation.html Initial proposal 25.01.2012 Approved by EP 27.04.2016 Full force 24.05.2016 Transition period ended 25.05.2018 95180 complaints to DPA 41502 data breach notifications 255 investigations 3 fines, incl. Google, €50 Mio Data compromise in top business risks Jan 2019 Global enforcement Local legislation First finalized investigations Court proceedings No simple recipes Oct 2019 Rising complexity Rising uncertainty Future https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf Taken decisions Hired/assigned DPO Created/updated policies Data mapping & risk assessment Updated process design Implemented information systems Audits Awareness programs etc Who will be the next? Are we ready? 3
  • 4. Enforcement: Data challenges Lack of trusted sources Welter of information in media Privacy enforcement more than GDPR enforcement Different national legislations – and languages Heterogeneous data, case-by-case approach 4
  • 5. Methodology Compare data from different sources Analyze input, try to find primary source Try to validate on DPA site, typically in national language Some statistics of the data set Selection of illustrative cases Insights, not conclusions 5
  • 6. Enforcement: sources • enforcementtracker.com, provided by CMS Law.Tax: http://www.enforcementtracker.com/ - 81 • https://dataprotectionauditors.com/fines-issued/ -64 • https://www.nathantrust.com/gdpr-fines-penalties - 60 Open source • https://edpb.europa.eu/news/national-news_en - 25 • DPAs sites (national languages)Official • https://iapp.org/resources/global-privacy-and-data-protection- enforcement-database/Proprietary 6
  • 7. List of decisions of Hellenic DPA, Greece Yearly report 2018 of UOOU, Czech Republic Yearly report 2018 of Garante, Italy Examples of sources for validation 7
  • 8. Data set 86 cases, 5 under court proceedings • 83 fines • 3 other sanctions Total fines € 372 911 936 • 98,7458% - TOP5 • Median € 10 000 Among sanctions: reprimand, warnings, service ban Fine in data set can consist of GDPR fine, local law fine, procedural costs Figures should be understood as illustrative 8
  • 9. Count of cases by country 9
  • 10. Total fines by country* *except of top-5 10
  • 11. Among victims Sensitive data • Banking&finance • Medical • Public sector, agencies, municipalities • Employers of any sector Large amount • Media • Tech&platforms • Telecom • Infrastructure operators Trade&B2C services: cafe, taxi, stores Private persons 11
  • 12. Most expensive infringements* *except of top-5 Please, note: classification of infringements is tentative; several articles are violated in most of cases 12
  • 13. Top-5 of fines, facts British Airways € 204 600 000, not final UNITED KINGDOM 08-07-19, since 09/2018 Art. 32 GDPR Marriott International, Inc € 110 390 200, not final UNITED KINGDOM 09-07-19, since 11/2018 Art. 32 GDPR Google Inc. € 50 000 000 FRANCE 21-01-19, since 05/2018 Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 4 nr. 11 GDPR, Art. 5 GDPR National Revenue Agency € 2 600 000 BULGARIA 28-08-19 Art. 32 GDPR Morele.net € 644 780 POLAND 10-09-19, since 11/2018 Art. 32 GDPR 13
  • 14. Top-5 of fines, stories British Airways • XSS, 500 000 customers were compromised Incident possibly started in June 2018, was notified in September 2018 • link Marriott International, Inc • Data breach, notified to the ICO in November 2018. 339 million guest records globally were exposed by the incident. It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. link Google Inc. • The complaints concerned the creation of a Google account during the configuration of a mobile phone using the Android operating system. The obtained consents had not been given "specific" and not "unambigous" • link National Revenue Agency • Data of 6 074 140 persons were publicly available, including contact data along with financial declarations and income data • link Morele.net • Operations of 11 internet store • 2 incidents, data breach and few services compromised, notified in 11/2018, 12/2018 • data of 2 200 000 customers were possibly imposed • Some clients received SMS informing them that an additional fee of PLN 1 was required to complete the order. The message contained a link to a fake DotPay electronic payment gateway. • link 14
  • 15. Illustrative cases Data processor in Poland 219 538 Euro processed data from public sources for commercial purpose without consent and proper information School in Skellefteå, Sweden 18 630 Euro consent, obtained from students was not a valid legal basis given the clear imbalance between the data subject and the controller Telecom in Bulgaria 27 100 Euro repeated registration of prepaid services without the knowledge and consent of the data subject Merchant in Belgium 10 000 Euro wanted to use eID to create a customer card Private person in Germany 2 000 Euro sent several e-mails with open mailing list (CC, not BCC). 15
  • 16. Illustrative cases - 1 Data processor in Poland • the company did not meet the information obligation in relation to over 6 million people. Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data. • company processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e- mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. • In the opinion of the President of the Personal Data Protection Office, such action was insufficient – while having the contact data to particular persons, the controller should have fulfilled the information obligation in relation to them, that is it should have informed them inter alia on: their data, the source of their data, the purpose and the period of the planned data processing, as well as the data subjects’ rights under the GDPR. . https://uodo.gov.pl/en/553/1009 16
  • 17. Illustrative cases - 2 School in Skellefteå, Sweden • A school in northern Sweden has conducted a pilot using facial recognition to keep track of students’ attendance in school. • The test run was conducted in one school class for a limited period of time. • The school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA. • The school has based the processing on consent but the Swedish DPA considers that consent was not a valid legal basis given the clear imbalance between the data subject and the controller. . https://www.datainspektionen.se/nyheter/sanktionsavgift-for-ansiktsigenkanning-i-skola/ 17
  • 18. Illustrative cases - 3 Telecom in Bulgaria • Employees of the telecommunications provider have used personal data and registered the complainant with the company's prepaid service. The data subject had not signed the application and had not consented to the processing of his personal data for the stated purpose. There was also no other legal basis applicable. The signature of the application and the complainant own genuine application were not identical and the persons personal identification number was indicated, but the identity card number was not the complainants one. . https://www.cpdp.bg/?p=element_view&aid=2180 18
  • 19. Illustrative cases - 4 Merchant in Belgium • merchant wanted to use an electronic identity card (eID) to create a customer card. The DPA's investigation revealed that the merchant required access to personal data located on the eID, including the photo and barcode which is linked to the data subject's identification number. . https://www.sudinfo.be/id141981/article/2019-09-19/un-commercant-recu-une-amende-de-10000-euros-pour-avoir-voulu-creer-une-carte-de 19
  • 20. Illustrative cases - 5 Private person in Germany • a private person who sent several e-mails between July and September 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences between mid-July and the end of July 2018. According to the authority's letter, between 131 and 153 personal mail addresses were identifiable in his mailing list. . https://www.mz-web.de/merseburg/hunderte-adressen-im-verteiler-merseburger-muss-fuer-wut-mails-ueber-2-000-euro-zahlen-32033308 20
  • 21. Insights from this analysis If you have >1 000 000 customers, security breaches are expensive – and unavoidable Privacy mindset, or Principles first Jurisdiction is REALLY important Think first BEFORE direct marketing Think first before implementation of video surveillance, using of biometrics, properly control blockchain and AI 21
  • 22. Way to GDPR compliance simple to say, hard to do 22
  • 23. lawfulness, fairness and transparency purpose limitation data minimization accuracy storage limitation integrity and confidentiality GDPR, Article 5 GDPR = Principles 23
  • 25. Privacy Mindset Privacy is MORE important than your profit Profit<Privacy<Common Wealth<National Security<Law<Human Life 2.2 9.2 11 13.4 14.5 17.3 20.3 22.2 23 27.2 30.5 … GDPR, exemptions https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf 25
  • 26. Controller & Processor obligations Data protection by design and by default Representatives of controllers or processors not established in the Union Records of processing activities Cooperation with the supervisory authority Security of processing Notification of a personal data breach to the supervisory authority Communication of a personal data breach to the data subject Data protection impact assessment Designation of the data protection officer Codes of conduct Articles 25-39 26 *Fines for violations of selected obligations were found in data set
  • 27. Are we compliant? Once implemented, does our compliance plan reflect privacy mindset? Is this mindset properly articulated in the Code of Conduct? Are adopted policies consistent and clear? How can we confirm compliance with these policies? How these policies are reflected in every day decisions of every employee? …Is our culture lawful, fair and transparent? Maturity level 27
  • 28. Practice example Security by design for software development 28
  • 29. 29 Privacy by Design @ Software Development • Privacy by Design is a combination of - Privacy Assessment, SDLC for a software development stream - Privacy Assessment, PMM for a project management stream Secure Development Life Cycle (SDLC) Software Development Project Management Privacy Assessment Privacy by Design Project Management Methodology (PMM)
  • 30. 30 Privacy by Design @ Software Development Privacy Assessments + Define Requirements Risk assessment + Coding Quality Assurance Deploy Security & Privacy monitoring Product Documents + Privacy Assessments Source code Risk Reports Application scans QA reports Inventory tool Log review + ASV scans Phase Process Artifacts Concept & Planning Construction Acceptance Deploy Maintenance
  • 31. Tools of continuous [GDPR] compliance Code of conduct Clear rules, aligned with remuneration policy Awareness program, integrated with corporate education Regular polls Proper feedback culture 31
  • 32. Guidance from DPAs, sample • National legislation differences https://www.uoou.cz/en/assets/File.ashx?id_org=200156&id_dokumenty=1174 • Basics for SME https://www.uoou.cz/en/assets/File.ashx?id_org=200156&id_dokumenty=1545 • Online services https://edpb.europa.eu/our-work-tools/public-consultations/2019/guidelines- 22019-processing-personal-data-under-article-61b_en • Video surveillance https://edpb.europa.eu/our-work-tools/public-consultations/2019/guidelines- 32019-processing-personal-data-through-video_en • Blockchain https://www.cnil.fr/sites/default/files/atoms/files/blockchain.pdf • Artificial intelligence and privacy https://www.datatilsynet.no/globalassets/global/english/ai-and-privacy.pdf 32
  • 33. Links EDPB work program https://edpb.europa.eu/about-edpb/about-edpb/work-program_en EC Awareness Library https://ec.europa.eu/commission/priorities/justice-and-fundamental- rights/data-protection/2018-reform-eu-data-protection-rules_en#library Resources from ISACA http://www.isaca.org/info/gdpr/index.html GDPR compliance self-assessment tool https://gdprassessment.isaca.org/ Our translation into Ukrainian https://www.slideshare.net/AnastasiiaKonoplova/gdpr-isaca-kyiv-chapter 33
  • 34. Let`s Join! https://www.facebook.com/Kyiv.ISACA/ Anastasiia Konoplova CISA, CISA Trainer President ISACA Kyiv a.konopleva@isaca.org.ua +38(050)9570596 34