The majority of organizations to which requirements of GDPR apply have expected smooth and soft enactment of its norms. However, hardly had 6 months passed as GDPR became effective, when one of the companies was fined with the maximum amount of EUR 20 million. What fines and why did the European regulatory authorities apply?
EUR 20,000
Social chat service Knuddels, which provides service of online acquaintances, was one of the first affected by GDPR. The regulatory authority of German Land Baden-Württemberg detected that the web-site stored information in the form of unencrypted text files without additional security measures, which led to data leaks of about 808,000 e-mails and more than 1.8 million users and their passwords.
Comparatively small amount of the fine is due to the fact that the offender itself reported data leak in accordance with GDPR and quickly introduced additional security measures to protect information.
EUR 400,000
In September 2018, Portuguese Data Protection Commission prosecuted a healthcare facility in whose medical record system a flaw which let obtain access to patient data with the help of false employees’ accounts was detected. As the regulatory body discovered, 985 accounts were registered in the system, and only 296 belonged to the hospital employees.
EUR 20 million
Canadian consulting company Aggregate IQ will have to pay maximum fine. The fine was imposed by the British regulatory authority for illegal collection and processing of personal data of users of social network to carry out targeted propaganda campaigns in case of failure to comply with the British regulator's prescription. At present, the specified order is being appealed by the company.
Let us remind you that Article 83 of GDPR establishes 2 categories of fines: up to EUR 10 million, or up to 2% of total yearly turnover of company for the previous financial year; and up to EUR 20 million, or up to 4% of total yearly turnover of company for the previous financial year.
However, rules for determining sanction amount under GDPR are very flexible and depend, in particular, on the following: actions taken by an offender to remedy the adverse effects; interaction of the offender and supervision authorities; categories of personal data involved in the offence; way in which the regulatory authority became aware of the offence, in particular, or if the offender reported it itself.
Therefore, we recommend the companies and employees responsible for compliance to reconsider their internal acts on processing and protection of personal data for compliance with GDPR, and to adjust operative notification system in case of violations. Such simple actions will preserve nerves and millions.
The event focused on the transformation of Ukraine's intellectual property sector on its path toward European integration.
Improving access to safe and affordable medicines for the Ukrainian population is one of the Government of Ukraine's top priorities. SAFEMed Activity (2017-2025) has supported this effort by appIying health system strengthening best practices.
The Ministry of Health website has posted a notice about the release of a revised draft order of the Ministry of Health ‘On Approval of Amendments to Certain Re
On 25 September, a webinar was held on the topic: ‘180 days of new drug price regulation. Results, prospects and practical advice.’ The event was organized by LA Law Firm in partnership with Proxima Research International.
