DP News - Week 14. Subway operator was fined for covert employee monitoring in Iceland, Finnish DPA imposed fine for data retention violations and published its 2024 inspection plan, France’s DPA (CNIL) published a 5-year GDPR compliance review regarding data breaches.

The subway operator in Iceland faced a fine of €10,059.92 for unlawfully monitoring employees without adequate disclosure, following a complaint to the Icelandic data protection authority (DPA). Despite justifying the surveillance as for security purposes, the DPA found it lacking necessity and transparency. The controller was in addition to the fine ordered to erase unauthorized data, inform employees about monitoring, and maintain processing records to comply with GDPR.

Read more here

***

The Finnish DPA has imposed an administrative fine of €856,000 on a company for its failure to specify the retention period of customer account data. Furthermore, the company’s policy mandating customer accounts for purchases on its web store was found to contravene data protection regulations. Triggered by a customer complaint, an investigation revealed that the company retained data on customer accounts indefinitely. The DPA deemed this practice a violation of GDPR and instructed the company to establish a retention period for the data and revise its registration policy. The company intends to challenge the decision. Read more here

The DPA has also published its inspection plan for 2024. Ten inspections are planned. Several inspections investigate, among other things, how data controllers manage access rights and supervise the processing of personal data in their operations. Read more here

***

France’s DPA (CNIL) published a 5-year GDPR compliance review regarding data breaches. According to the official press release, “between May 2018 and May 2023, the CNIL received 17,483 data breach notifications. This volume does not reflect the actual number of incidents since the same event, such as a hack, can give rise to multiple notifications. This often corresponds to situations where a service provider is affected by an attack and notifies its customers, in accordance with the GDPR, who themselves make their own notifications.

By grouping notifications linked to the same origin, it appears that the number of data breaches notified to the CNIL is increasing over the years. More than half of reported breaches originate from hacking : ransomware ranks first, followed by phishing attacks”.

DP News – Week 14. Subway operator was fined for covert employee monitoring in Iceland, Finnish DPA imposed fine for data retention violations and published its 2024 inspection plan, France’s DPA (CNIL) published a 5-year GDPR compliance review regarding data breaches.

DP News – Week 14. Subway operator was fined for covert employee monitoring in Iceland, Finnish DPA imposed fine for data retention violations and published its 2024 inspection plan, France’s DPA (CNIL) published a 5-year GDPR compliance review regarding data breaches.

Related blog posts

DP News – Week 17. EDPB released the 2023 annual report, outlined its 2024-2027 strategy and issued an information note on the EU-US Data Privacy Framework redress mechanism, Finnish DPA has decided on retention periods in the recruitment process.

DP News – Week 15. Norwegian DPA imposed a 20 million NOK fine, Denmark’s DPA updated data transfer guidance for third countries, France’s DPA fined retail chain for unsolicited marketing.