While things have gone a little quiet in the UK following the ICO’s notices of intent to fine British Airways and Marriott in the summer, European data protection authorities have been a little more active in recent weeks. A quick summary of some of the cases:
· Bulgaria – €2,600,000 fine – information security breach leading to 6 million records being made available
· Sweden – €18,630 – a school introduced the use of facial recognition technology for monitoring attendance without having conducted a Data Protection Impact Assessment (DPIA) and, as facial recognition constitutes biometric data, they could not find an applicable lawful basis (consent could not be “freely given” in this scenario).
· Germany – €195,407 fine – a company had not deleted the personal data relating to former customers who had not been active for a number of years. The company also continued to send unsolicited marketing messages even after receiving objections from the recipients.
· Austria – €50,000 fine (unconfirmed) – a controller working in the medical sector was fined for failing to appoint a statutory Data Protection Officer, relying on consent for use of personal data (when consent could not be “freely given”) and had not conducted any DPIAs, despite the sensitivity of the data they held.
