Skip to content
Sub practice
Sub practice

General Data Protection Regulation (GDPR)

Radical legislative changes – offenders facing administrative fines in the order of millions of euros

Among other requirements, the General Data Protection Regulation (GDPR) imposes rigid compliance requirements on companies in the event of cyber attacks: Any data protection breach must now be notified to the data protection supervisory authority not later than within 72 hours. If this time limit is exceeded or no notification is effected, administrative fines of millions of euros may be imposed. Operators of critical infrastructures (i.e. entities that are vital for the functioning of the community) must additionally comply with the requirements of the IT Security Act and, in this regard, in particular take appropriate organisational and technical safeguards to avoid any interference with the functioning of their information technology systems and furnish proof of compliance with these standards to the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik; BSI) every two years.

 

News and insights

Blog Post: 22 February 2024

EDPB adopts opinion on the notion of main establishment during 90th plenary

The European Data Protection Board (EDPB) during its 90th plenary session, on 14 February 2024, amongst other things: adopted an opinion (the Opinion) on the notion of a controller’s main…

Read more
Data protection

Blog Post: 14 February 2024

ICO and AEPD take steps for protection of minors

The Information Commissioner’s Office (ICO) launched a campaign called ‘Think. Check. Share’ (the Campaign) on 29 January 2024, to promote responsible data sharing to safeguard children. The Campaign…

Read more
computers

Blog Post: 10 January 2024

CJEU rules that a credit score constitutes automated decision making under the GDPR

On 7 December 2023, the Court of Justice of the European Union (CJEU) issued a landmark judgment on Article 22 of the General Data Protection Regulation (GDPR), focused on decision making based solely…

Read more
World map with graph information overlaid

Blog Post: 13 September 2022

Germany – Schrems II: German court overturns presumption of international data transfer from EU-subsidiary to non-EU parent company

On 13 July 2022, the Public Procurement Chamber of the German state of Baden-Württemberg (the Public Procurement Chamber) issued a decision confirming that personal data processed by an EU subsidiary…

Read more

Related expertise