Since its implementation, more than 840 fines have been imposed across the EU for a total amount of around €1,288,000,000. In June, July and August 2021, the Commission Nationale pour la Protection des Données (CNPD) published the outcome of several investigations, becoming the authority to have totally inflicted the highest sanctions in Europe.
The EU trends
As evocatively suggested by the EDPS, the GDPR is “a three-year-old who must still learn to walk before it runs”. Indeed, the EU regulators constantly provide guidance in interpreting regulatory requirements and face burdensome challenges.
· CARPA certification: the CNPD developed a certification mechanism to demonstrate compliance with the GDPR of processing operations; the final version of the certification is expected by 2021.
· Industry 4.0: digital technologies have changed the financial industry approach. Only in 2021, the European regulators provided guidance on several high-risk topics, such as cybersecurity, artificial intelligence, cloud and outsourcing.
· ESG factors: according to the EDPS Strategy 2020-2024, there is a growing concern about the relentless data generation; data sharing and redistribution debates aim at designing rigorous proportionality tests against data misuse and unlawful access.
· AML/CFT: the European Data Protection Board, in the Letters dated May 2021, recommends that the upcoming AML/CFT instruments contain specific provisions to remedy the legal uncertainty currently surrounding the relationship with privacy requirements.
· International data transfer: in June 2021, the European Commission published two updated sets of Standard Contractual Clauses and adopted the Adequacy Decisions for transfers of personal data to the United Kingdom.
· ePrivacy Regulation: in February 2021, the Member States agreed on the revised rules on privacy and confidentiality of electronic communications, that, as lex specialis, will detail and complement the GDPR; the “trilogue” negotiations have now begun.
The GDPR appears to be only the tip of the iceberg.
Privacy and data protection in Luxembourg
Recently, the CNPD has published several decisions following privacy on-site inspections, focusing on Data Protection Officer requirements (art. 37 to 39 of the GDPR), video surveillance and geolocation systems, including the provision of adequate information notices (art. 12 and 13 of the GDPR), and the fulfilment of purpose limitation, data minimization and storage limitation principles (art. 5.1 of the GDPR).
The GDPR tolerance period is far over; companies should not be taken off guard to avoid sanctions and reputational damage. Accordingly, data controllers should implement dedicated plans to efficiently comply with the data protection regulatory framework. To this extent, a four-step approach (gap analysis, compliance risk assessment, compliance monitoring plan and implementation activities) could be considered as a successful methodology. Read the full article .
Claudio ORLANDO MIELE – Privacy Leader/Governance, Risk & Internal Control – Mazars
Gianfranco MEI – Partner/Governance, Risk & Internal Control – Mazars