General Data Protection Regulation (GDPR)
Radical legislative changes – offenders facing administrative fines in the order of millions of euros
Among other requirements, the General Data Protection Regulation (GDPR) imposes rigid compliance requirements on companies in the event of cyber attacks: Any data protection breach must now be notified to the data protection supervisory authority not later than within 72 hours. If this time limit is exceeded or no notification is effected, administrative fines of millions of euros may be imposed. Operators of critical infrastructures (i.e. entities that are vital for the functioning of the community) must additionally comply with the requirements of the IT Security Act and, in this regard, in particular take appropriate organisational and technical safeguards to avoid any interference with the functioning of their information technology systems and furnish proof of compliance with these standards to the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik; BSI) every two years.
Explore our services
News and insights
Publications: 21 March 2024
Seizing the AI opportunity in Europe
In December 2022, MIT Technology Review named generative AI as one of its 10 breakthrough technologies of 2023. Less than a year later, respondents to a KPMG survey of CEOs ranked generative AI as…
News: 15 March 2024
Allen & Overy advises Zendesk on its acquisition of AI-powered service automation leader Ultimate
Allen & Overy has advised Zendesk, Inc. (“Zendesk”), a leading global technology company that provides software-as-a-service and customer experience (CX) products, on its acquisition of Ultimate, an…
Blog Post: 10 January 2024
CJEU rules that a credit score constitutes automated decision making under the GDPR
On 7 December 2023, the Court of Justice of the European Union (CJEU) issued a landmark judgment on Article 22 of the General Data Protection Regulation (GDPR), focused on decision making based solely…