The possibility of imposing significant amount of fine for the violation of data protection rules drew immediate attention to the issue of data protection compliance. While the amount of administrative fine in the GDPR was only a theoretical maximum, fines imposed in specific cases could serve as…

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) was the first data protection authority in the EU that has published a fining policy detailing the principles for setting administrative fines in specific cases. The impact of the fining policy issued by the Dutch Data Protection…

One of the biggest challenges in meeting data protection requirements is to translate the general principles and rules into concrete actions and daily routines. How much and what data is needed to achieve a particular purpose? How can we obtain the necessary consent? How can we provide proper…

January 28 is the Data Protection Day since 2007. The goal of Data Protection Day is to raise awareness of data protection, which may never have been as current as nowadays. The extensive use and processing of personal data is very common in our everyday lives (we use smartphones, smart watches,…

GDPR provides various legal basis for data processing activities, including consent, legitimate interest, mandatory processing. One option is the legal basis that can be applicable to contractual relationships. According to the Preamble to the Regulation:  Processing should be lawful where it is…

Surveys show that very few people choose passwords that are strong enough, and many prefer to use the same password on multiple, or even all, online platforms. Similarly to PIN codes, where 1-2-3-4 and other easily solvable combinations are the most popular ones, we are not careful enough about…

GDPR requires supervisory authories to establish and make public their lists of the kind of processing operations which are subject to the requirement for a data protection impact assessment (DPIA). 22 supervisory authorities submitted their draft lists to the European Data Protection Board (EDPB)…

The Hungarian Data Protection Authority (NAIH) published its "black list" on processing activities that shall be subject to data protection impact assessment, in line with Section 35 (4) of the GDPR. The European Data Protection Board provided its opinion on the draft list at the end of September…

Five months have passed since May 25 when the General Data Protection Regulaton (GDPR) became applicable in the European Union. Data controllers and processors struggled a lot to be ready for the application of the rules of the GDPR. However, there are several rules in the GDPR that leave space for…

One of the important novelties of GDPR was that it applies not only to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, but also to the processing of personal data of data subjects who are in the Union by a controller…