After almost 3 years with General Data Protection Regulation, there is still big uncertainty among businesses regarding its particular obligations in case of a data breach. Under the GDPR, any incident resulting in the destruction, loss, alteration or disclosure of personal data is a data breach and its occurrence triggers the controller’s obligation to examine the breach and, in some cases, to notify Data Protection Authority (DPA) and inform data subjects whose personal data the breach concerned. In case the breach poses risks to data subjects (of a monetary loss or physical harm) the controller is obliged to notify the DPA within 72 hours. In addition, in case the risks identified by the controller are particularly high, it is also necessary to inform the data subjects.

Recently Polish DPA issued decisions regarding the data breach notifications which were quite controversial. As an example, in one of the cases the scale of the breach was quite insignificant (mail send by mistake to wrong receiver). The company identified the incident as data breach, however, with no risk to data subject identified, it decided not to notify the DPA. The conclusion reached by the DPA (after the proceeding initiated by the e-mail receiver) was different – it found that not only the breach posed risk to data subjects but that the risk was high and that also the data subject should have been notified.

During the espresso, our Polish expert, Karolina Miksa from WKB lawyers in Poland, will provide more details about the Polish cases and discuss, if, to avoid sanctions, the companies should consider to notify any data breaches to the DPA.

Listen to the podcast version of this espresso here

From 1 January 2021, Russia-based employers must comply with new requirements regarding their remote employees. In this video Nikita Maltsev from Gorodissky & Partners highlights some of the new requirements regarding remote work conditions, namely: (1) types of remote work, (2) documents exchange, (3) provision of necessary equipment, (4) new grounds for dismissal.

For more information please read the article “HOME SWEET HOME – NEW REMOTE WORKING LAW ADOPTED” from Gorodissky & Partners here: https://www.gorodissky.com/publications/articles/home-sweet-home-new-remote-working-law-adopted/

The Accountability principle does not exist in the EU and GDPR only. Other relevant regulations, such as the Colombian law, take this principle in great consideration and it is not recommended to apply it in its EU interpretation.

So how should it be implemented in Colombia, also regarding the size of an organization?

Listen to this privacy espresso with Stella Sofia Vanegas and Angela Maria Noguera from Vanegas Morales Consultores to learn our country experts' considerations, starting from the role of the companies' board of directors to the one of every single employee!

We analyzed with José Leitão, privacy expert from MdME Lawyers in Macau, the recent MDPO decision and fines in excess of MOP,000,000.00 (more than EUR100,000.00) due to out of purpose usage of data and its implications to data controllers in Macau.

Learn more on what happened and how to avoid such fines in this privacy espresso!

In these uncertain times, VU security has developed a Digital Identity in Vaccination Process (DIVP) helping governments and citizens in these sensitive activities.

Know more about the DIVP development and its impact and effects it is bringing where applied