First of all, Michal explains the case background, what happened and why the DPA issued a fine, underlying the relevant role played by the big difference between the company’s privacy statements and the measures in place within it.
Secondly, the discussion quickly delves into the consistency mechanism and how this was applied in the case. In fact, the issue was brought in by the Spanish DPA but then handled by the one of Czech Republic with the two authorities always cooperating and communicating with each other.
According to Michal, another relevant element is, of course, the heftiness of the potential fine issued by the Authority. In his view, this sanction is a big change compared to the ones experienced in the Czech Republic so far. There are various reasons for it, the most interesting of which may consist in the international pressure on the national DPA to be as aligned as possible with the other (more severe) EU DPAs. Then he details the various steps taken by the authority to calculate the fine. For example, the fact that the company works in the information security sector has led to an increase of the fine, while the fact that the data used by the company haven’t been identified as sensitive may have been a reason not to raise it more.
To conclude, the key Michal’s takeaways from this case can be summarised as follows:
- Be very transparent on how you handle your customers’ data
- If you claim your anonymization procedure as a way to comply, don’t forget that the EU threshold for it is very high
- Companies dealing with data protection business need to be even more compliant than others, as individuals tend to trust them more and cannot be disregarded in this
To know more about the case and its key takeaways, watch this privacyespresso episode.