Irish Data Protection Commission fines Meta for GDPR violations related to behavioural advertising

On January 4,2023, the Irish Data Protection Commission (hereafter “the DPC”) announced the imposition of two administrative fines of total amount € 390 million on Meta Platforms Ireland Limited (“Meta Ireland”). The fines concerned data protection violations related to Facebook and Instagram services regarding behavioural advertising. The DPC ordered Meta to bring its data processing […]
French Privacy Watchdog, CNIL fines Apple over lack of consent regarding Personalised Ads

On December 29, 2022, the French Data Protection Authority (hereafter “CNIL”) announced the imposition of an administrative fine of €8 million on Apple Distribution International. The penalty was imposed in response to a complaint and related to the use of personalised advertisements that were set to default settings in violation of Article 82 of the […]
ICO opts for public reprimands rather than fines for UK public sector. What are the implications for compliance?

Information commissioner John Edwards has defended his new strategy for enforcing the UK GDPR with public sector bodies, using reprimands rather than fines. The Commissioner stated that fines to public bodies created a “money go-round” where funds were being moved between government organisations. Also, unlike in the private sector, fines do not come out of […]
“Data scraping” investigation results in €265m data protection fine for Meta

Background Meta Ireland Platforms Limited (“Meta”, formerly Facebook Ireland Limited) is the subject of another fine from the Irish Data Protection Commission (“the DPC”) following what it termed its “Data Scraping” investigation into Meta platforms. This investigation by the DPC had commenced in Spring of 2021 after news broke of a leaked dataset online containing […]
When is a data breach notifiable to the Supervisory Authority?

Article 33 of the General Data Protection Regulation (GDPR) imposes obligations on data controllers to report personal data breaches to the relevant Supervisory Authority (SA) within 72 hours of the data controller becoming aware of the breach. These obligations arise unless the personal data breach is unlikely to result in a risk to the rights and freedoms […]
Publishing house fined for data security violation under the GDPR

In late 2021, the Spanish Data Protection Authority (‘AEPD’) initiated an investigation on the data processing activities of Bayard Revistas S.A., a publishing house in Madrid, after receiving a complaint by an individual. According to this complaint, the person in charge of Bayard’s web portal notified all data subjects via e-mail that a third party […]
Landmark CJEU judgment confirms broad interpretation of Special Category Data

Earlier this month, a case referred by the Regional Administrative Court of Lithuania to the CJEU OT v Vyriausioji tarnybinės etikos komisija resulted in a landmark judgment that included a broad interpretation of what constitutes special category personal data, which should give pause for thought for all organisations processing personal data. This article explains the potential […]
Article 30 Record Keeping – Know your data

Following the ‘Ask the DPC anything’ webinar hosted by the Irish branch of EADPP – European Association of Data Protection Professionals, it has been suggested that the Irish Supervisory Authority, the Data Protection Commission (DPC) is planning a “deep dive” review of organisations’ documentation of their processing activities, across a range of sectors. The DPC […]
Human intervention and human oversight in the GDPR and AI Act

Differences and Practical Challenges The GDPR introduced the notion of ‘human intervention’ as a way to prevent, in certain circumstances, decision-making based solely on automated means. The forthcoming AI proposal for a Regulation (“AI Act”) uses the term ‘human oversight’ and sets out certain obligations. For instance, in December 2021, the European Committee of the […]
Helping SMEs better cope with the GDPR

As part of the STAR II project, TRI has been working on better understanding how small and medium enterprises (SMEs) have coped with the GDPR, and the challenges they have faced. The project has also researched how EU data protection authorities have attempted to support SMEs and the guidance they have made available. These findings […]