It has been over a year since the European Union’s General Data Protection Regulation became mandatory across Europe, marking a seismic shift in the way that companies collect, process, and handle personal data. Countries across the European Union and beyond have adapted their national laws to meet the requirements of the GDPR – with many introducing local derogations as permitted by the GDPR.
Despite some early apocalyptic predictions about the impact of the GDPR, the reality has been far less dramatic. Nevertheless, it has been a serious consideration for businesses to take on board – bringing about a diverse range of challenges and lessons.
Data Breaches
The protection of personal data and privacy is the cornerstone of the GDPR. According to the International Association of Privacy Professionals (IAPP), more than 89,000 data breaches have been reported to the various EEA regulators in the last year. As the data below shows, countries across CEE have not been immune.
Impact of Enforcement Powers
So far, according to the European Data Protection Board Report, European regulators have used their enforcement powers to levy fines totalling over EUR 56 million against 91 companies (including EUR 50 million against a single organization). Although this figure may seem significant, with the exception of the EUR 50 million penalty, the fines have been fairly conservative and nowhere near the maximum the regulators are able to order.
Despite this, the numerous enforcement activities carried out by supervisory authorities across CEE show that businesses will be reprimanded should they fail to comply with personal data protection obligations. This often means hefty fines - which can reach up to 4% of an organization’s annual turnover - and significant reputational damage.
In Poland, the Personal Data Protection Office fined a company a staggering EUR 220,000 for failing to fulfil its information obligations. The company in question ran a commercial database composed of over 7.5 million records of personal data collected from public registers. While it posted information about processing personal data on its website and sent privacy notices to those persons whose e-mail addresses it had in its database, the company did not send privacy notices to the remaining persons using their postal addresses or telephone numbers, which, it argued, given the significant cost of sending traditional letters or sending text messages, would involve disproportionate effort. The Polish authority did not agree with this argument, stating that: (i) posting the privacy policy on the company’s website is not sufficient from a GDPR perspective, and (ii) “high costs” related to a particular operation cannot be deemed a “disproportionate effort” that justifies failing to fulfil the company’s information obligation.
In another breach, a company in Bulgaria was fined EUR 27,098 for the unlawful use of personal data. A customer allegedly requested to switch from a subscription to a pre-paid service at a telecommunications company. However, it was not the customer who signed the request form – the signature was falsified. As a result, the company processed the underlying personal data for a purpose to which the customer had not consented.
These cases highlight the importance of “consent” – arguably one of the most misinterpreted aspects of GDPR. Under the regulations, unless other available legal grounds for processing personal data can be met, companies must ensure that the data subject has consented to processing his or her personal data, and that a thorough record of how and when an individual gives consent is stored. It is crucial that businesses undertake a careful analysis of the available legal bases for processing and keep up to date with local regulatory guidance, as rules vary from country to country. For example, in Romania political parties, NGOs, and national minority organizations can process personal data without the express consent of the data subject. And shortly before this article was published, the Hungarian National Authority for Data Protection and Freedom of Information levied its highest ever data protection fine – EUR 100,000 – against the annual “Sziget” music and arts festival upon the discovery that the organizers of the event were asking for the consent of guests to security screening (including photocopying personal IDs and taking photos at the entry gate), without proving their legitimate interest in the data processing.
Cybersecurity: The Constant Threat
Cybersecurity remains a real threat to individuals and businesses across CEE, and cyber-attacks impose enormous costs on their victims.
Underlining the need for robust breach management procedures, data security requirements, and encryption technology, an organization in Hungary was fined EUR 34,375 following a large-scale cyberattack. In this case, the hacker disclosed information on the vulnerability of the organization’s system - including the command used for the attack. The disclosure of the identification data of more than 6,000 users (including names, email addresses, usernames, and passwords) posed a high risk and the company was subsequently penalized. Meanwhile, in the Czech Republic, e-commerce company Internet Mall, a.s. was fined EUR 58,800 by the authorities for failing to secure and prevent a large leak of customer personal data onto the public cloud service Ulozto.cz.
When it comes to processing employee data, it is vital that businesses adhere to the legal requirements governing data privacy. This warning follows a company’s EUR 1,278 fine by the Bulgarian authorities for carrying out background checks on the employment and insurance status of an ex-employee without a legitimate basis.
Conclusion
Information, both personal and commercial, is usually delicate and often powerful. The GDPR was introduced to harmonize data privacy laws across Europe and give greater protection and rights to individuals. Companies across CEE have rapidly become familiar with the rigor with which the GDPR’s requirements are imposed. In addition to a thorough awareness of the GDPR it is crucial that businesses in the region stay abreast of local regulator guidance, and that they develop a robust compliance culture. Failure to take these essential measures may result in harsh and costly consequences.
By Dora Petranyi, CEE Managing Director, CMS Cameron McKenna Nabarro Olswang and Johannes Juranek, Managing Partner, CMS Reich-Rohrwig Hainz
This Article was originally published in Issue 6.6 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.