Sign up for the DPO Europe Newsletter
We will share useful materials with you and talk about the latest news from the world of privacy.
News Digest: fines & restrictions
Berlin DPA imposes €525,000 fine over a DPO’s conflict of interest
The Berlin DPA issued a fine of €525,000 on a subsidiary of a retail group that appointed a DPO who was a managing director for two other companies that were part of the same group.
These two companies were processing personal data on behalf of the company of the DPO in question. The Berlin DPA found a conflict of interest since the individual was acting as a DPO responsible for the data processing activities of companies they had been actively managing.
SEC imposes $35M fine over data deletion violations
The U.S. Securities and Exchange Commission (SEC) fines Morgan Stanley Smith Barney LLC (MSSB) for data deletion issues that affected 15 million customers over a five-year period. MSSB failed to properly dispose of devices containing its customers’ PII.
On multiple occasions, MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the PII of millions of its customers.
The moving company sold to a third-party thousands of MSSB devices, including servers and hard drives, which were eventually resold on the internet without removal of such customer PII. Moreover, during another decommissioning process, 42 servers containing unencrypted PII were discovered to be missing. MSSB consented to the SEC’s order and agreed to pay the fine.
Danish DPA also renders decision against Google Analytics transfers to the US
The Danish DPA’s decision aligns with the ones from the French, Italian, and Austrian DPAs. The decision revolves around the unlawfulness of US transfers taking place without the implementation of supplemental measures.
The DPA stated that the measures already implemented by Google were not suitable to prevent access to the transferred personal data by US law enforcement authorities. The only effective measures are encryption, where the encryption keys are held exclusively by the data exporter or a third party within the EU/EEA or in a secure third country, or pseudonymisation implemented by establishing a reverse proxy server which acts as a hub for internet traffic from website visitors.
This way, an organisation can gain control over what data is collected and what data is subsequently sent to Google’s servers used to provide the Google Analytics tool. The DPA also stated that a risk-based approach is not suitable in the context of foreign law enforcement authorities’ access to personal data, while the use of consent for such transfers is not compatible with the usual use of Google Analytics.