Real impact!

Understanding GDPR

Shalini Kurapati, CIPP/E

Co-founder, Clearbox AI

Fines and reputation damage are real

Logo representing the Italian Supervisory Authority with the Italian flag with a document surrounded by the stars of the EU flag with a blue background.

Example - Italian SA fines a diabetes app

  • Email addresses in CC instead of BCC - information breach + health status disclosure
  • Breaches of
    • Lawfulness, fairness, and transparency (validity of consent)
    • Purpose limitation; security
    • Disclosure of special category (health status) - fine EUR 45,000
1 https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9809998
Understanding GDPR

225 million fine - true story

Logo of the Irish Supervisory Authority. The worlds Data Protection Commission written in Gaelic and English.

  • WhatsApp - Millions of EU users
  • Transparency, insufficient safeguards
  • Data sharing with its parent companies
  • Irish SA- EUR 225 million with a strong reprimand
  • The app had to change its privacy policy
1 https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-whatsapp-inquiry
Understanding GDPR

No exemptions for EU bodies

Screenshot of a part of the first page of the EDPS decisions against European Parliament regarding data protection violations.

  • European Parliament violation of GDPR - EDPS reprimand
  • Transparency shortcomings privacy policy
  • Inadequate safeguards for data transfers to the US
1 https://noyb.eu/en/edps-sanctions-parliament-over-eu-us-data-transfers-google-and-stripe
Understanding GDPR

International transfers: Adequacy

Picture with a hand holding a sketch pen after writing the word approved and circling it.

  • GDPR covers 27 EU and three non-EU (Iceland, Liechtenstein, and Norway) countries
  • Personal data transfers outside these countries need special safeguards - Adequacy
  • Seal of approval - GDPR level protection
  • European Commission (Article 45, GDPR) - Decides on adequacy, continuous reviews
  • Example
    • US adequacy decision revoked in 2020
    • Ongoing talks about reinstating adequacy
Understanding GDPR

Not adequate, now what?

Diversified toolkit:

  • Standard contractual clauses
  • Binding corporate rules
  • Certification mechanism
  • Codes of conduct
  • Derogations

All the updated information on European Commission website - responsible data transfers

1 https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en
Understanding GDPR

Let's practice!

Understanding GDPR

Preparing Video For Download...