Author Archives: Panayiotis Z. Toulouras LLC

Largest amount of GDPR breaches in CEE relate to entities in healthcare, telecom, financial, media & technology services.

 

INTRO

A recent research undertaken by Deloitte Legal in countries part of Deloitte Central, found that the largest amount of controls and fines for possible breaches of the GDPR were reported in ‘highly regulated and client-facing industries’ where large volumes of personal data were being processed. The research was covering the period from when the GDPR came into force until May 31, 2019, which is just over a year.

SECTORS AFFECTED

The sectors which were evidenced as having the largest amount of breaches were private healthcare (due to handling of sensitive data), telecom and financial services, public sector, media and technology (mostly apps). Most supervisory authorities instructed companies to observe and comply to regulations on data minimization, purpose limitation and data retention principles,  data subjects’ rights, video surveillance, direct marketing, profiling and cookies.

With just over one year gone, the 8 countries surveyed found that the 34 fines set for GDPR violations, amounted to nearly EUR 750,000. The largest fine of them all was imposed in Poland for a company processing personal data gathered from public sources and using this data for profit which of-course violates the principles of lawfulness, fairness and purpose limitation. In total, the Romanian Data Protection Authority undertook 981 controls, imposed 57 corrective measures, issued 23 warnings with a large number of investigations is still pending.

Georgiana Singurel, a member of the Deloitte Legal network stated that “Romania has just reported its first fine for GDPR violations, of EUR 130,000, applied to a bank. We also see various and significant controls across Europe and fines imposed almost each week in many jurisdictions, out of which the leader is the EUR 50 million fine imposed to Google in France,”

CEE GDPR BREACHES SO FAR

Until May 31st 2019, data breaches reported to each national data protection authority have been:

  • Poland: 2,000
  • Czech Republic 626
  • Romania 398,
  • Hungary 380,
  • Lithuania 93,
  • Bulgaria 33.

Georgiana Singurel finished off the great and insightful survey by stating that “GDPR has been a major disruptor for any entity processing personal data and Romanian companies across all industries have worked on identifying the main risk areas and on assuring the compliance with the regulation. We see amongst our clients a continued focus on setting up complex internal processes and on adjusting legal documents in order to comply with GDPR, as well as on training their employees in this area,”

WHAT WE CAN DO

Panayiotis Z. Toulouras LLC provides counsel to clients on all the data protection matters and laws in place with the newly established GDPR. For any enquiries or assistance, feel free to contact us at [email protected] or call us directly at +357 24 623 800. For more information visit www.toulouraslaw.com.

Over £280m in fines could be given to Hotel and Airline Giants due to GDPR Breach.

Marriott could be fined £100m for GDPR violation – Hotel

Marriott, the hotel chain that manages and franchises a great portfolio of hotels could be facing a fine up to £100m for a breach of personal data that exposed early 400 million guests.

The chain’s database was hacked with millions of guest records, passport details and credit card records being in the hacker’s hands. To make matters worse, the breach had been recorded from 2014 but until discovered towards the end of 2018.

The U.K.’s leading body for upholding the personal data rights of consumer, Information Commissioner’s Office (ICO), stated in their report that they found that Marriott did not take adequate due diligence during its purchase of the Starwood group and more should have been done to secure and limit exposure to breach.

British Airways could be fined £183m for GDPR violation – Airline

British Airways could be facing a possible fine of £183m (around 1.5% of their annual revenue) for the breach experienced last year in their security systems. The breach resulted from a website failure which happened to compromise the person details of nearly 500,000 of their customers who had booked through their website or app. Hackers were able to steal the card details customers, with compensation charges given by BA raking up to £56m alone so far.

If the hefty penalty is handed out by the ICO in the United Kingdom, it could be the largest fine given so far under the new EU General Data Protection Regulations (GDPR) established in May 2018.

The ICO had said that the reasons behind this breach was the weak security measures in place by BA which could have been avoided if the GDPR was followed step by step.

Protect your organization and your customers right – Data Protection Services

When any type of organization, processes and accepts to handle the personal data of any person it has a duty to undertake the right procedures and assessments to protect them. When they fail to do so, this can have dire results for both customers and organisations. Smaller organisations could suffer even more from a possible breach as a combination of heavy fines and loss of business and consumer confidence could be difficult to overcome.

As such the new GDPR Regulations will not be lenient with organisations that fail to follow protocol with huge fines possible, up to €20 million, or 4% annual global turnover whichever is greater.

Panayiotis Z. Toulouras LLC provides counsel to clients on all the data protection matters and laws in place with the newly established GDPR. Our law firm effectively assists our clients to meet all legal obligations and to avoid situations like BAs. For any enquiries or assistance, feel free to contact us at [email protected] or call us directly at +357 24 623 800. For more information visit www.toulouraslaw.com.

CySEC circular – Reminder to Alternative Investment Fund Managers on minimum investment requirement.

The Cyprus Securities and Exchange Commission (' the CySEC') recently released circular ‘C321’, dated 7th of June 2019, reminding all Alternative Investment Fund Managers (AIFMs) to raise capital from investors within 12 months from the set date that funds under their control were authorised by CySEC.

Specifically, Law 124(I)/2018 or ‘AIF Law’ states that all authorized or regulated AIFMs are required by Article 14 to raise at least €500.000 worth of capital from investors within the 12 months mentioned.

The article further provides that capital commitments are not to be calculated as part of the minimum investment and in situations where AIF is internally managed, initial capital requirement is also excluded. Payments made by investors should be made in either cash or in assets related to AIF investment policy and free of liens. Regarding non-cash payments made by investors, these will need to be valued at date of payment by an independent valuer.

Lastly the circular also states that all types of AIFs authorized prior to the aforementioned legal requirements being in force, will need to comply to any new obligation as stated in Article 145 of the 'AIF Law'.

The team here at Panayiotis Z. Toulouras LLC are able to assist and guide you on the above and other issues to all AIFs in Cyprus. For any enquiries or assistance, feel free to contact us at [email protected] or call us directly at +357 24 623 800. For more information visit www.toulouraslaw.com.

Read the full circular here.