After almost 3 years with General Data Protection Regulation, there is still big uncertainty among businesses regarding its particular obligations in case of a data breach. Under the GDPR, any incident resulting in the destruction, loss, alteration or disclosure of personal data is a data breach and its occurrence triggers the controller’s obligation to examine the breach and, in some cases, to notify Data Protection Authority (DPA) and inform data subjects whose personal data the breach concerned. In case the breach poses risks to data subjects (of a monetary loss or physical harm) the controller is obliged to notify the DPA within 72 hours. In addition, in case the risks identified by the controller are particularly high, it is also necessary to inform the data subjects.
Recently Polish DPA issued decisions regarding the data breach notifications which were quite controversial. As an example, in one of the cases the scale of the breach was quite insignificant (mail send by mistake to wrong receiver). The company identified the incident as data breach, however, with no risk to data subject identified, it decided not to notify the DPA. The conclusion reached by the DPA (after the proceeding initiated by the e-mail receiver) was different – it found that not only the breach posed risk to data subjects but that the risk was high and that also the data subject should have been notified.
During the espresso, our Polish expert, Karolina Miksa from WKB lawyers in Poland, will provide more details about the Polish cases and discuss, if, to avoid sanctions, the companies should consider to notify any data breaches to the DPA.
From 1 January 2021, Russia-based employers must comply with new requirements regarding their remote employees. In this video Nikita Maltsev from Gorodissky & Partners highlights some of the new requirements regarding remote work conditions, namely: (1) types of remote work, (2) documents exchange, (3) provision of necessary equipment, (4) new grounds for dismissal.
The Accountability principle does not exist in the EU and GDPR only. Other relevant regulations, such as the Colombian law, take this principle in great consideration and it is not recommended to apply it in its EU interpretation.
So how should it be implemented in Colombia, also regarding the size of an organization?
We analyzed with José Leitão, privacy expert from MdME Lawyers in Macau, the recent MDPO decision and fines in excess of MOP,000,000.00 (more than EUR100,000.00) due to out of purpose usage of data and its implications to data controllers in Macau.
Learn more on what happened and how to avoid such fines in this privacy espresso!