GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) đź“–
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖». Author Adv. Prashant Mali
GOOGLE IN LANDMARK NORDIC LEGAL CASE ON THE “RIGHT TO BE FORGOTTEN.”
Finlan’s Supreme Court has ordered Google to remove from its search engine the personal data, including all connected URL links, of a convicted murderer.
Courts in Europe expect a surge in similar cases in the wake of the European Union’s (EU) rollout of the General Data Protection Regulation (GDPR) in May.
The case is against Google in Finland was brought under both the GDPR and the country’s strict personal privacy protection laws. This was no ordinary legal test case. The subject of the court order was convicted of murder, and yet the Supreme Court determined that the man’s right to privacy was not diminished by his crime.
Furthermore, the court ruled that the removal of the convicted felon’s data from Google’s search engine didn’t infringe on the public’s right to information in this specific case, given that the accused was charged and found guilty of murder with “diminished responsibility,” a legal annex that enhances his data protection and personal privacy rights under the GDPR and Finnish law.
Finland’s Data Protection Ombudsman (DPO) took the case against Google to the country’s Supreme Court after the company refused a formal written petition to have the man’s personal information removed from its search engine. This information included certain facts regarding the murder case in 2012, the subsequent trial and his imprisonment.
Google, arguing its rights under freedom of speech laws, disputed the DPO’s contention that the man’s 11-year prison sentence constituted “inhuman suffering due to his mental impairment,” or that the information pertaining to his state of health available via Google searches risked causing irreparable damage to his personal well-being.
In an earlier legal action, Google had unsuccessfully tried to have the DPO’s “right to be forgotten” request rejected in Finland’s Administrative Court. in the case google loses
"right to be forgotten case".
236
4.4 GDPR FINE –BARREIRO MONTIJO HOSPITAL CENTER IN PORTUGAL CASE First fine for violation of the GDPR in Poland:
According to the DPA, the company processed the personal data of over 7 million sole-entrepreneurs for its profit-making purpose. However, the company sent individual information about this processing only to a small fraction of those persons – approx. 900,000 data subjects. Thus, the company did not provide information required by the GDPR to over 6 million people. The company argued that it did not have the email addresses of the other data subjects and that sending information to those data subjects by post would have involved a disproportionate effort, as the cost of mailing letters could be over PLN 30 million (EUR 6,978,000), which is more than the company’s annual turnover. For the same reason, the company decided not to inform the data subjects via SMS. The DPA also emphasized that the main business activity and source of revenue of the company is processing personal data in a professional manner and on a large scale. As a result, the DPA reasoned that the company needed to factor into its business planning the cost of compliance with core legal obligations. It is worth noting that the data subjects in question were not consumers, but sole-entrepreneurs, whose data were collected from the official, publicly available register. It may be anticipated that in cases involving consumers, the penalties may be even higher. However, even if controllers process only business-related data, as in this case, they should also pay attention to fulfilling information duties, e.g., in relation to their business contacts, clients or vendors.
On 26 March 2019, the Polish data protection authority (DPA) announced that it has imposed its first financial penalty amounting to EUR 220,000 (approx. PLN 943,000) on a data controller in Poland for failing to comply with the provisions of the GDPR. The controller is a company that aggregates personal data from publicly available registers, such as the Central Register and Information on Economic Activity (CEIDG) and the National Court Register (KRS), for the purpose of providing company-verification services
4.5. FACEBOOK BREACH IN GDPR TEST CASE.
On 28th September Facebook notified the Irish Data Protection Commissioner (DPC) about a massive data breach affecting more than 50 million of its users. The hack of the “view as” feature, which allowed users to see their profile from the perspective of an external visitor or friend, exploited an interaction of several bugs on Facebook and allowed the intruders to acquire so called “access tokens”. With these tokens, the attackers had access to personal data from the affected accounts, potentially including personal messages.
The incident is a highly salient test-case for the application of the General Data Protection Regulation (GDPR) in practice, specifically for:
Notification and provision of information: Under Article 33 of the GDPR, an entity facing a breach must notify the relevant data protection authority (DPA) within
72 hours, “where feasible”. As the vulnerability was discovered on 26 September, Facebook complied with this provision, unlike other companies have done in the past. However, the information provided by Facebook so far seems to only have delivered the very basics of what is required under the GDPR. The Irish DPC publicly urged the enterprise to submit more details so the authorities could properly assess the nature of the breach and the risk to users. Article 34 of the GDPR further requires that individuals whose personal data might have been compromised during the breach are notified without undue delay of the incident and the counter- measures that have been taken so far. Facebook implemented this by displaying a message in the feed of the affected accounts. The information provided included an initial overview on the “view as” weakness, as well as the statements that the function has been turned off and that accounts who had used it in since July 2017 had their access tokens removed, requiring a new login.
Sanctions: The GDPR allows for sanctions against the entity that faced the breach, which depend on the sensitivity of the compromised information and the degree to which appropriate safeguards were not implemented. Since approximately five million of the affected users come from the EU, Facebook could be liable for a 1,63 billion US dollar fine if that was found to be the case. Since the exact nature of the breach is still investigated by the Irish DPC, it remains unclear to which extent the hacking was a result of negligence. In any case, the investigation might bring some further clarification on how the responsibility for the security of processing is allocated in practice, and how strictly infringements of this obligation are sanctioned. Cases like this thus offer an opportunity for other companies processing users’ personal data to learn in more detail about their security obligations under the GDPR, and provide them with examples on how to respond to a data breach. For users, the investigation also serves an important purpose: It shows them whether the security of their data is actually taken seriously. If it is not and they suffer adverse effects from that, they have the possibility to demand compensation – and since the Irish implementation of the GDPR allows for collective redress, they could even be represented by civil society in court. On the other hand, the incident also emphasises that, even if Facebook did not act carelessly, caution about uploading personal data is always advised, as absolute safety of personal information is never certain.
This data breach is yet another example of the importance of secure and confidential storing of personal data on the Internet.
TOPIC)
GENERAL
DEFINITION OF PERSONAL DATA
Lindquist: The name of a person in conjunction with his/her telephone number, and information about his/her working conditions or hobbies constitute personal data.
Tietosuojavaltuutettu: The surname and given name of certain natural persons whose income exceeds certain thresholds, as well as the amount of their earned and unearned income, constitute personal data.
Bavarian Lager: Surnames and forenames may be regarded as personal data. Thus the list of names of participants in a meeting is personal data, since persons can be identified.
Scarlet: ISP addresses are protected personal data because they allow the related users to be precisely identified.
M: The data relating to the applicant for a residence permit included in the minute (applicant’s name, DOB, nationality, gender, ethnicity, religion and language) constitute personal data. The legal analysis in the minute may contain personal data but it does not in itself constitute such data. The legal analysis is not information relating to the applicant, but at most, in so far as not limited to a purely abstract interpretation of the law, is information about the assessment and application by the competent authority of that law to the applicant’s situation. This interpretation is consistent with the language of Article 2(a) and the objective and general scheme of Directive 95/46.
Schwartz: Fingerprints constitute personal data, as they objectively contain unique information about individuals, which allows them to be identified with precision.
Worten: Data contained in the record of working time concerning, in relation to each worker, the daily work periods and rest periods, constitute personal data because they represent “information relating to an identified or identifiable natural person.”
Englebert: Data collected by private detectives relating to persons acting as estate agents concern identified or identifiable natural persons, and therefore constitute personal data.
Rynes: The image of a person recorded by a camera constitutes personal data because it makes it possible to identify the person concerned.
Client Earth: The information as to which expert is the author of each comment made by the external experts constitutes information, which falls within the scope of personal data. The fact that the information is provided as part of a professional activity does not mean that it cannot be characterized as personal data. The concepts of personal data and data relating to private life are not to be confused. The claim that the information concerned does not fall within the scope of private life is therefore ineffective.
Likewise, the fact that both the identity of the experts concerned and the comments submitted on the draft guidance were made public on the EFSA website does not mean such data cannot be characterized as personal data.
Finally, characterization of information relating to a person as personal data does not depend on whether the person objects to the disclosure of that information.
Bara: Tax data transferred are personal data, since they are “information relating to an identified or identifiable natural person.”
Nikolaou: The information published in the press release was personal data, since the data subject was easily identifiable, under the circumstances. The fact that the applicant was not named did not protect her anonymity.
Jordana: The first and last names of the persons on the reserve list and the officials mentioned in the individual decisions of appointment to grade A6 can be considered to fall within the personal data definition.
McCullough: Surnames are personal data and therefore are protected by Regulation 45/2001. The fact that the members of Cedefop’s decision-making bodies participated
Comments (0)