HDPA Imposes EUR 20 million Fine to AI Company

August 2022, KG Law Firm In Decision 35/2022, the Greek data watchdog, the Hellenic Data Protection Authority (“the Authority”), imposed a EUR 20 million fine on a US-based software company, for its web scraping techniques and functioning of its automated facial recognition system. The Authority’s investigation was instigated by a complaint concerning the AI company’s failure to respond to a data subject’s access request. The company’s activities fell under the scope of the General Data Protection Regulation (GDPR) given the latter’s extra-territorial applicability to processing…

Personal Data Protection Risks of Employee Diversity and Inclusion Programmes in Bulgaria

June 2022 Authors: Nikolay Zisov, Deyan Terziev, BOYANOV & Co. Over the last few years, diversity and inclusion have become more than policies, programmes, or headcounts. More and more companies in Bulgaria aim to achieve a certain percentage of employees who belong to a religion or ethnic group, as well as the inclusion of such persons at different work process levels, including by respecting their customs and traditions. However, such initiatives often face legal challenges, specifically in view of compliance with the applicable personal data protection laws. Partner Nikolay Zisov and…

Key Points From EDPB’s Guidelines on the Right of Access

March 2022 Author: Pablo Perez Laya, BDK Advokati Arts. 12 and 15 of the EU Data Protection Regulation (EU) 2016/679 (“GDPR“) regulate the right of access (“RoA“). This right consists of three main components: (i) confirmation of whether personal data are processed; (ii) access to the personal data; and (iii) information about the processing itself. The European Data Protection Board (“EDPB“) adopted, on 18 January 2022, the Guidelines 01/2022 on data subject rights – Right of access (“Guidelines“), to provide more precise guidance on how to implement the RoA in different…

Spain: Amazon Road Transport Fined for Requesting Criminal Records From Job Candidates

February 2022 Author: Pablo Perez Laya  On 11 February 2022, the Spanish Data Protection Authority (Agencia Española de Protección de Datos) fined Amazon Road Transport Spain, S.L. (“Amazon RT“) EUR 2,000,000, for including criminal record certificates within the documentation that it requests during the hiring process of freelance truck drivers. The following are the aspects of the decision which we have considered the most interesting: Certificates showing “clean” criminal records (i.e. that no crimes have been committed) do amount to personal data relating to criminal convictions…

Guidance for interpretation of the Serbian Data Protection Act

November 2021 BDK Advokati's senior associate Milica Basta participated in the online conference “Data Protection – 2021” organised by the agency Forum Media from Belgrade. The event took place on 29 November 2021. More than 20 professionals from public and private sector entities attended. Milica spoke about the tools for interpretation of the Serbian Data Protection Act (2018) when there is no available practice of the Serbian supervisory authority or courts. As the law is for the most part a copy of the EU General Data Protection Regulation (GDPR), Milica pointed to documents issued…

Processing of Personal Data Concerning Vaccinations and the EU Digital COVID-19 Certificate

November 2021 Recently, the Commission for Personal Data Protection (CPDP) published an opinion on the processing of personal data regarding the vaccination status in Bulgaria. It covers all the details regarding the EU digital COVID-19 certificates – their issuance, verification, and acceptance. In accordance with EU rules, EU certificates are only to be used to access and verify the information included therein to facilitate and allow the right of free movement within the EU during the pandemic. EU certificates can only be used for any different than the above-mentioned motives if the legal…

Polenak Law Firm Advised Singular And Its Owners

September 2021 As another proof of interest to invest in the IT sector in North Macedonia, Flutter Entertainment, a global sports betting, gaming, and entertainment provider, acquired 100% indirect ownership in Singular group of companies based in North Macedonia, Georgia, and Malta. Polenak Law Firm advised Singular and its owners on the transactional documents under Macedonian law. Also, our Regulatory & Compliance team advised the client in the complete harmonisation with the newest personal data protection requirements introduced with the new Data Protection Law which is now fully harmonised…

CNIL Refuses To Let Monsanto Off The Hook

September 2021 On 26 July 2021, the French Data Protection Authority (“CNIL“) issued a fine of EUR 400,000 against Monsanto, a leading company in the field of agricultural biotechnologies. The decision elucidates the criteria for differentiating between a data controller and a data processor and validates a strict approach to interpreting the obligation of data controllers to inform individuals about the processing of their personal data. In 2013, Monsanto entered into an agreement with Fleishman-Hillard, a public relations company. In the performance of the agreement, Fleishman-Hillard…

Serbia’s data protection law – BDK Advokati in GTDT/Lexology 2022 guide

August 2021 BDK Advokati has contributed to the Serbia chapter in the 2022 edition of Lexology Getting the Deal Through – Data Protection & Privacy (July 2021). The chapter presents the regulatory frameworks under Serbian data protection law which applies since August 2019. The law is modeled under the EU General Data Protection Regulation. The chapter also describes the instructions and guides issued by the Serbian supervisory authority – the Commissioner for Information of Public Importance and Personal Data Protection – to address the processing of personal data related to covid-19…

Turkish Data Protection Authority’s Announcement on The Partnerships’ Obligation to Register with VERBIS

On 25 June 2021, the Turkish Personal Data Protection Authority published an announcement regarding partnerships’ obligation to register with the Data Controllers’ Registry Information System.

Regulation on Sharing of Confidential Information Published

In June, the Banking Regulation and Supervision Authority published the Regulation on Sharing of Confidential Information.

The European Commission Issues Modernised Standard Contractual Clauses Under the GDPR

On 4 June 2021, the European Commission issued standard contractual clauses for use between controllers and processors and modernised standard contractual clauses for international transfers under the General Data Protection Regulation (the GDPR). The modernised standard contractual clauses will replace the three sets of standard contractual clauses for data transfers to third countries that were adopted under the previous Data Protection Directive 95/46. The modernised clauses cover data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) and data transfers…