The German Data Protection Authority in the state of Baden-Württemberg (DPA) imposed the first fine under the GDPR in Germany. The fine of EUR 20,000 was imposed on a chat platform provider for storing its users’ passwords without encrypting them. The unencrypted storing of passwords was revealed by the provider itself in conjunction with submitting a breach notification to the DPA following a hacker attack.It began with a security breachThe chat platform provider “knuddels.de” was…
The Bavarian Data Protection Authority (“DPA”) has recently published a number of position papers clarifying certain requirements under the GDPR.Data Processing Agreements can be concluded electronically. Parties must, of course, document the electronic conclusion of the agreement sufficiently and conclusively for their own purposes, and be able to evidence its conclusion in case of an audit by the DPA. Using a ‘qualified electronic signature’ to do so, although not mandatory, is only one way to…
In light of the GDPR, the German data protection authorities (German DPAs) have issued new guidance regarding the implementation of whistleblowing hotlines. The new position of the German DPAs is so fundamentally different from their pre-GDPR position that German companies should review, and likely implement changes to, any existing whistleblowing hotlines offered to their employees.The general EU position before the GDPR came into effect was that whistleblowers were encouraged to disclose their identity rather than…
Now that EU General Data Protection Regulation (GDPR) is officially enforced, any business looking to bring their data protection practices in line with it will need to understand and analyse the local laws supplementing the regulation. This is a time-consuming and difficult task.In order to help businesses with this process, Baker McKenzie has updated the 2018 edition of its GDPR National Legislation Survey, which captures the status quo on national data protection law developments as…
On 23 March 2018 the German Commission for the Protection of Youth in the Media (KJM) released its long awaited official position on loot boxes. The KJM is the head regulator for youth protection in online media in Germany (including video games, apps, social casino, etc.). Whilst the KJM’s statement is non-committal it outlines that loot boxes can, under certain circumstances, violate youth protection laws. The KJM is not responsible for regulating gambling. Thus, potential…
Under the European General Data Protection Regulation (GDPR), which will start to apply on 25 May 2018, many companies will be required to appoint a Data Protection Officer (DPO). Violating the requirements relating to the appointment of a DPO can be sanctioned with fines of up to EUR 10 million or up to 2 percent of the total worldwide annual turnover, whichever is higher. So, who do you appoint as your DPO? Companies may choose…
In January, the European Commission proposed a new Regulation on Privacy and Electronic Communications (“Draft ePrivacy Regulation”). The Draft ePrivacy Regulation is intended to replace the existing “ePrivacy Directive” (Directive 2002/58/EC as amended by Directive 2009/136/EC) and supplement the General Data Protection Regulation (“GDPR”) as of May 25, 2018. In the following we explain the most significant changes to be expected.Extended scope The Draft ePrivacy Regulation has a much broader scope than its predecessor and applies…