UK: ICO announces first ‘mega fines’ for data breach under GDPR

In the last couple of days, the Information Commissioner’s Office has issued two notices of intent to impose the first ‘mega fines’ under the GDPR regime for data breaches by British Airways (for £183.39 milion) and Marriott International (for £99.2 million).  Both companies now have the chance to respond to the notices of intent, after … Read more

UK: right to privacy in relation to personal emails and WhatsApp messages

The European Court of Human Rights in Garamukanwa v United Kingdom has confirmed that the right to privacy can theoretically apply in relation to communications sent from a workplace email address, or which touch on both professional and private matters. However, in this case, the employee did not have a reasonable expectation of privacy in … Read more

UK: DSAR ruling confirms that descriptions of the purposes of processing and recipients of personal data can be general, but actual identity of sources must be provided

The recent High Court judgment in Rudd v Bridle & J&S Bridle Ltd provides some useful guidance on subject access requests under the Data Protection Act 1998 (equally relevant to the new GDPR regime). Dr Rudd, a medical expert on exposure to asbestos, was the subject of a campaign by a lobbyist for the asbestos … Read more

EU: draft guidelines on GDPR extra-territoriality published

On 23 November 2018, the European Data Protection Board published its draft guidelines on Article 3 of the GDPR, being the provision that sets out the territorial scope of Europe’s data protection legislation. The GDPR seeks (via Article 3) to extend its reach beyond European borders, making non-EU organisations directly subject to its obligations when processing … Read more

UK: new resources on criminal record checks, mental health and dyslexia

Unlock has published new guidance for employers on criminal record checks, to which the ICO has contributed. The guidance states that checks at the application stage are unlikely to be necessary for most jobs and therefore likely to be a breach of the GDPR. In relation to checks at the job offer stage, the guidance … Read more

UK: first enforcement notice under GDPR shows extra-territorial reach

The UK data protection regulator, the Information Commissioner’s Office (ICO), has issued its first enforcement notice under the General Data Protection Regulation (GDPR). The notice is particularly noteworthy because it has been issued against a company located in Canada, which does not appear to have any presence within the EU. The ICO found that the … Read more