![]() While has appealed, both penalties show that companies need to be wary not only of how they treat customer data, but also employee data. The penalty is the Lower Saxony DPA’s highest to date, and comes only months after the Hamburg DPA fined retailer H&M €35.3m for monitoring employees’ private lives. The DPA stressed that the alleged deterrent effect of video surveillance could not justify a permanent and unprovoked violation of the personal rights of employees and customers. However, the surveillance system was deemed to be neither limited to a specific period, nor to specific employees, as required by local law. The company claimed that it had installed video cameras to, among other things, deter and investigate criminal acts. ![]() On 8 January, the Lower Saxony DPA fined German electronics retailer €10.4m for unlawful video monitoring of employees and customers spanning at least two years. German electronics retailer fined €10.4m for employee and customer privacy violations. The guidance also appears to suggest that the mere use of credentials obtained elsewhere to access an individuals’ online account may not trigger GDPR notification obligations in the absence of unauthorised access to (or other interaction with) further personal data. The CNIL also published credential stuffing guidance, which recommends further protections, including CAPTCHA puzzle solving tests, consulting repositories of breached passwords, and usernames which are not based on users’ email addresses. Deficiencies identified by the CNIL included not limiting the number of login requests from the same IP address and an absence of multifactor authentication. The fine is a rare example of a DPA penalising both the data controller and processor for the same failing. On 27 January, the CNIL announced €150,000 and €75,000 fines against a company and its service provider respectively for inadequate credential stuffing controls which led to the exposure of approximately 40,000 website customers’ names, email addresses, order information and loyalty card balances. Here are our “need to know” stories from January.įrench DPA fines company and its service provider for inadequate credential stuffing controls and issues guidance for companies. New data breach notification guidance from the European Data Protection Board (“EDPB”), multi-million Euro penalties from DPAs in Germany, Spain and Norway, and court rulings on discriminatory use of algorithms, the one-stop-shop and GDPR’s territorial scope were all in the mix. If January is anything to go by, 2021 will be the same. As covered in our Annual Review, 2020 was a blockbuster year for European data protection.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |