Included in this edition of Data & Privacy News: President of the Polish DPA issues first Polish GDPR fine; EDPB issues statement on the ePrivacy Regulations and opinion on interplay between the ePrivacy Directive and GDPR; Report shows over a quarter of SMEs fail to implement any cyber security measures and more...

President of the Polish DPA issues first Polish GDPR fine

The President of the Personal Data Protection Office ("PDPO"), the Polish Data Protection Authority ("DPA"), has issued its first fine under the GDPR for failure to provide full fair processing information to data subjects in breach of the transparency principle.

The company in question, failed to inform many individuals that their data would be processed by the company, depriving them of the possibility to exercise their rights under the GDPR. 

A fine of EUR 220,000 was imposed on the company by the PDPO as the infringement was seen to be intentional. The company was aware of its obligations to provide the relevant information, as well as the need to inform the individuals directly, but opted not to do so to reduce the number of objections to processing that it received. The DPA also took into account the fact the company had not taken any action to remedy the infringement and had not indicated that it intends to remedy the infringement. 

EDPB issues statement on the ePrivacy Regulations and opinion on interplay between the ePrivacy Directive and GDPR

During a plenary session on the 12 March, the European Data Protection Board ("EDPB") adopted an opinion on the interplay between the ePrivacy Directive and the GDPR. The opinion addresses questions on the competence, tasks and powers of DPAs when the processing of personal data comes under the scope of both the GDPR and the ePrivacy Directive. In its opinion, the EDPB confirmed that it believes DPAs are sufficiently competent to enforce the GDPR and the overlap of legislation does not limit the competences, tasks and powers of the DPAs under the GDPR.

The EDPB has also published a statement outlining its views on the draft ePrivacy Regulations and invited EU Member States to finalise their positions on the ePrivacy Regulation in order for negotiations with the European Parliament to commence as soon as possible following the European Parliament elections in May. The ePrivacy Regulation, which complements the GDPR, is the final step in the EU's framework for data protection and confidentiality of electronic communications.

Report shows over a quarter of SMEs fail to implement any cyber security measures

A survey, commissioned by Business in the Community, has highlighted a growing gap between the cyber safeguards introduced by medium sized firms and the lack of importance smaller sized firms place on securing their digital presence from cyber criminals.  

The 'Would you be Ready for a Cyber Attack' survey revealed that over a quarter of the UK's small to medium sized enterprises (SMEs) had failed to implement any cyber security measures or strategies in the last year. In addition, only 10% of smaller firms had looked into solidifying their employees understanding of cyber threats to prevent cyber attacks. 

Law firms were more likely to ensure that adequate cyber security measures were in place with only 8% lacking measures.

For those SMEs that had improved their cyber security, the main reason for this was to comply with the GDPR.

ICO fines Kent pensions company £40,000 for sending nearly two million marketing emails without consent

The Information Commissioner's Office (ICO) has fined Grove Pension Solutions Ltd, a Kent pensions company, £40,000 for sending out nearly two million direct marketing emails without consent. 

During the investigation, the ICO found that the company had instructed a marketing agent to use third party email providers in order to host its marketing campaigns which advertised the company’s services.

Grove Pensions Solutions Ltd had sought specialist advice from a data protection consultancy prior to sending out the emails between 31 October 2016 and 31 October 2017. The company had also taken independent legal advice about the use of hosted marketing. However, this advice failed to be accurate and the ICO found that the companies marketing activity fell foul of the Privacy and Electronic Communications Regulations.

EDPB and LIBE Committee publish report on GDPR implementation

The EDPB Chair and Vice-Chair recently addressed the European Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE) on the implementation of GDPR and the roles and means of the national supervisory authorities.

The members of the EDPB are of the view that the GDPR cooperation and consistency mechanisms are working well in practice with national supervisory authorities making daily efforts to facilitate this cooperation. However, these cooperation duties do impose extra workloads, additional time constraints and have an impact on budgets of the regulators. 

The report also confirms that in the first nine months following GDPR implementation, over 200,000 cases have been investigated by national data protection authorities across Europe, and that 11 authorities have issued fines amounting to a total of over €55m.