Marking a year since the entry into force of the GDPR on 25 May 2018. Contributor Ius Laboris
One year after the GDPR became effective, the Bulgarian Commission on Personal Data Protection (the ‘Commission’) has taken a mild approach to enforcement. The Commission’s most common enforcement actions include issuing warnings, official reprimands, and orders for bringing processing activities into compliance with the GDPR. In a few isolated cases, particularly where the personal data controller at fault has been especially non-cooperative, they have issued fines in the range of EUR 500 – 5,000, mostly for processing personal data without a sufficient legal basis under Article 6 of the GDPR. Proceedings before the Commission have usually been initiated on the basis of data subjects’ complaints.
Other than enforcement, the Commission has been preoccupied with issuing statements on the GDPR’s application, conducting training, participating in conferences, and otherwise raising awareness on the new legal framework.
The Commission took a significant role with respect to the amendments to the Bulgarian Personal Data Protection Act, promulgated in February 2019. Furthermore, in view of the general provisions of Article 32 GDPR on the required level of security, the Commission revoked Ordinance 1/2013 on the minimal level of technical and organisational measures and the permissible type of personal data protection, which used to impose specific obligations at a local level for Bulgarian controllers.
As of May 2019, the Commission has not issued any official statistics or estimates on the level of compliance of businesses and administrative bodies with the GDPR.
In the Czech Republic, there have not yet been any GDPR related court cases and only a few resolutions of the Office for Personal Data Protection (the ‘Office’) on GDPR breaches. This is because the implementation law only became effective from 24 April 2019 and until then, the Office only issued warnings or recommendations. We believe that the Office’s approach will be similar both in terms of sanctions and assessment of specific data privacy related situations to that adopted while the previous legal regulation was in force. Before GDPR, the Office did not fine employers for mistakes in data privacy documentation or processes or imposed very low fines (mostly between EUR 100 and 1,000).
The Act on Personal Data Processing (‘Zákon o zpracování osobních údajů’), effective from 24 April 2019, does not include specific employment law-related provisions. Therefore, employers, as data controllers, must comply mainly with the provisions of the GDPR and the Labour Code, which regulates monitoring of employees and recruitment rules. The new Act only contains minor exceptions, such as an amendment to the obligation of the controller to notify a data subject of a personal data breach or the exemption from the duty to perform a data protection impact assessment (DPIA) if the duty to process the personal data is stipulated by law.
The volume of useful GDPR-related information for employers now available is substantially larger than what we had in May 2018. The Office for Personal Data Protection has published a number of GDPR guides and issued useful statements focused on specific matters, such as marketing, biometrics, employee’s consent, use of employee’s photos and the need to prepare a DPIA. The majority of employers are still dealing with GDPR-related problems and a number of them have not yet provided the relevant GDPR documentation to employees.
The Latvian DPA did not impose many penalties during the first year of GDPR application. The biggest publicly announced penalty was only EUR 2000, which is even smaller than the penalties imposed before the GDPR became effective. There are several reasons for this: the DPA announced that in the first year it would be devoted to consulting to ensure appropriate implementation of the GDPR. The DPA was also overloaded due to a record number of complaints. Additionally, historically, the DPA’s activity regarding penalties has been variable: if one year has been productive in terms of penalties, the next has usually been less active.
Data controllers also started reporting personal data breaches but many of these cases did not qualify to be reported under the GDPR. Thus, many controllers choose an overly cautious reporting strategy.
Latvia’s ‘Personal Data Processing Law’ does not repeat the provisions of the GDPR; instead it sets out provisions regarding the DPA, data protection officers, certification mechanisms, exceptions for data subjects’ rights as well as some specific personal data processing cases (such as children’s person data, video surveillance and logs). Still many data protection provisions can be found in other legislation related to other specific areas of law (such and litigation, patients’ rights, accounting, tax and many others).
There are several trends related to GDPR implementation. The most widespread one relates to dealing with the data subjects’ requests: while ensuring access rights is a good test for reviewing a controller’s data processing activities, the ‘right to be forgotten’ can be a reason for a further litigation. Moreover, companies have started paying more attention to security measures tailored specifically for personal data. Finally, GDPR-related questions have become an important part of M&A deals.
On 16 May 2019, the first fine (EUR 61,500) for a breach of the GDPR imposed by the Lithuanian State Data Protection Inspectorate was announced. It was imposed on the electronic money institution MisterTango. The investigation proved that the company had breached three GDPR articles: the data minimisation principle, lack of security measures and failure to inform the DPA about a data security incident.
The company denies the alleged violations, specifically the failure to notify the DPA, stating that the obligation to notify was not breached, as the personal data incident was unlikely to result in risk to individuals’ rights and freedoms. It was reported that the data incident lasted two days, during which approximately 50 clients’ data was freely accessible from outside the company. However, according to the company no actual data leakage occurred. Nevertheless the DPA decided that it should have been notified. The company intends to appeal the decision to the national courts.
On 16 July 2018, the Law on Legal Protection of Personal Data was adopted. This law provides some basic rules for the use of individuals’ personal codes (national ID numbers) and for processing employee personal data. For example, it provides that it is forbidden to process candidates’ criminal records unless specifically prescribed by laws. In addition, the Lithuanian DPA has adopted an order specifying the data processing operations requiring a privacy impact assessment. They include cases when telephone conversations are recorded, CCTV monitoring of public spaces and when children’s data is processed for direct marketing purposes.
The GDPR received significant attention in the Lithuanian media and particularly among the business communities in larger Lithuanian cities. In comparison, GDPR compliance in smaller towns and state and governmental institutions is still not adequate. Nevertheless, the Lithuanian DPA is quite active and supportive. In January, a list of planned inspections was made public announcing the names of 75 organisations that will face GDPR compliance inspections in 2019. After the investigations are completed, the DPA usually provides its recommendations regarding the most common compliance failures.
The Polish DPA has imposed two GDPR fines so far. The first, of PLN 943,000 (approximately EUR 218,803), was imposed on an entity that processed the data of 6 million data subjects, but only informed 90,000 of them about it. The second fine of PLN 55,000 (approximately EUR 12,762) was imposed on a sports association for failing to delete judges’ data effectively.
Last year was also unique in terms of number of reported complaints and breach notifications. According to figures gathered by the Panoptykon Foundation, from 25 May 2018 to 28 February 2019, 5651 complaints were filed in Poland. Additionally, 3189 data breach notifications were submitted to the DPA.
Although the main result of entry into force of GDPR was the introduction of a completely new Act on the protection of personal data in Poland, amendments to the Polish Labour Code introduced even more significant changes in the field of the employment market and practice. Firstly, specific provisions regarding workplace monitoring are now in force and this monitoring is only allowed in certain situations. In addition, a list of employees’ and job candidates’ personal data that can be processed by employers has been established. There is a list of data that ‘must’ be requested by employers and provided by candidates and employees. Additionally, new provisions expressly allow employers to collect other personal data on the basis of job candidates’ or employees’ consent. However, any special categories of data can only be processed based on consent if provided by the job candidate or employee at their own initiative. Employee biometric data processing is also possible if it is necessary to control access to particularly sensitive information, the disclosure of which may expose the employer to damage, or access to premises requiring special protection.
Recently, GDPR-related issues have dominated the labour law market. The DPA has issued a handbook for employers with answers to frequently asked questions. One hot topic is the scope and retention of data collected during recruitment. As yet, the appropriate retention period is unclear, since the opinions of the DPA and Polish Ministry of Digital Affairs differ. Close scrutiny of practical developments will be essential.
Lastly, video monitoring is expected to become one of the main issues in 2019. The DPA has announced that its activity will focus on this area. In parallel cases related to the legality of video monitoring or the legal basis of employee data processing are slowly starting to be reviewed by the courts.
Slovakia is still waiting for the first fine for failure to comply with the GDPR. Notwithstanding, the Slovak DPA has imposed fines of up to EUR 5,000 for refusal to cooperate during inspections to ‘motivate’ the organisations under inspection to provide the documents and information requested.
This is because the Slovak DPA is overloaded with thousands of complaints brought by the individuals, who in many cases are not even the data subjects, whose rights could have been violated. This means the inspections take months and data controllers are nervous of whether they are fully compliant or will be fined.
Despite the fact that the GDPR is effective EU-wide, Slovakia has adopted its own legislation, which came into force on the same day as the GDPR. The local law does not deviate from the official text of the GDPR, except the parts regulating the activities of the Slovak DPA. So far, the interpretations of the GDPR made by the local authority are in line with the guidelines issued by the European Data Protection Board.
Slovak employers were quite well prepared for the GDPR. HR departments took the opportunity to revise HR documentation to meet GDPR requirements (and if necessary, to also update it in other areas). One year later, most employers have implemented the GDPR, or at least tried to. One positive observation is that after identifying any inconsistency with the GDPR, they are willing to fix it rapidly.
The Slovak courts are also prepared to apply European case law when dealing with employee privacy breaches and monitoring employees´ work activities. Moreover, the Supreme Court has opined that such case law also applies to privacy breaches that occurred prior to the relevant EU case law. This means employers are forced not only to keep up with recent EU case law but also to establish a careful balance between their right of control and employees’ privacy rights to avoid any future claims.
Slovenia is one of the EU member states that has not yet completed the implementation of the GDPR into national legislation. The legislative procedure for the adoption of the new Personal Data Protection Act is still ongoing. Only after its adoption will there be legislation listing violations and providing a basis for sanctions under the GDPR. The Information Commissioner (the competent authority for data protection in Slovenia) does not currently have the power to impose administrative fines for GDPR violations. Consequently, the Information Commissioner can only impose monetary fines under the currently valid Personal Data Protection Act for matters not covered by the GDPR (e.g. biometrics, direct marketing, video surveillance, database linking etc.). Inspections initiated prior to GDPR with regard to matters now regulated by the GDPR have been suspended until the new Personal Data Protection Act is adopted.
The latest proposal for the new Personal Data Protection Act was published on 6 March 2019 and is currently in the public consultation phase. The main concern is that the proposed new Act may overstep the margin of discretion foreseen in the GDPR in some aspects. It is, therefore, expected that the proposal will undergo further revisions, before being adopted by the National Assembly, probably in the second half of 2019.
Observations from the Information Commissioner show there has been a significant increase in requests for access by individuals to their personal data and requests for erasure of personal data. As follows from these observations, as a result of poor differentiation between legal bases for the processing of personal data under GDPR, many businesses prefer to ‘flood’ data subjects with consent requests rather than relying on another legal basis for processing. However, on the other hand, a number of DPO’s have been nominated (more than 2,100). The Information Commissioner also notes that data subjects are quite well acquainted with their GDPR rights deriving. As regards the impact on HR, practice shows that regulation was also rather strict before the GDPR and, therefore, no major changes have had to be implemented in this respect so far.
Contributing authors include:
Deyan Terziev of Boyanov & Co
Irena Lišková of Randl Partners
Anna Vladimirova-Krjukova and Renata Vasiliauskienė of COBALT
Edyta Jagiełło and Marta Zalewska of Raczkowski Paruch
Danica Valentová of Nitschneider & Partners
Darja Miklavčič of Selih & Partnerji
THIS UPDATE PROVIDES SUMMARY INFORMATION AND COMMENT ON THE SUBJECT AREAS COVERED. EMPLOYMENT LAW IS SUBJECT TO CONSTANT CHANGE EITHER BY STATUTE OR BY INTERPRETATION BY THE COURTS. WHILE EVERY CARE HAS BEEN TAKEN IN COMPILING THIS INFORMATION, WE CANNOT BE HELD RESPONSIBLE FOR ANY ERRORS OR OMISSIONS. SPECIALIST LEGAL ADVICE MUST BE TAKEN ON ANY LEGAL ISSUES THAT MAY ARISE BEFORE EMBARKING UPON ANY FORMAL COURSE OF ACTION.