GDPR Fines: Dutch regulator website imposes fines for lack of EU representative; Norway fines US company AdTech for illegal processing


The Dutch data protection authority has imposed a unique fine for violating the GDPR requirement to appoint a GDPR representative in the EU, which applies to organizations established outside the EU. The fine of € 525,000 was imposed on the operator of the website, which publishes the contact details of the people concerned, often without their knowledge, to allow others to locate and contact them. The Dutch data protection authority said it had received complaints from Dutch data subjects who wanted to opt out of the website but were unable to get an effective response from the website.

According to the Dutch Data Protection Authority, the website publishes the personal data of around 700,000 people from the Netherlands, and their inability to remove themselves from the list was largely due to the absence of a representative. of the EU for the website.

The Norwegian Data Protection Authority has announced its intention to impose a heavy fine of 2.5 million euros on the Californian company Ad-Tech Disqus for the collection and processing of personal data which monitors activities in line of the Norwegians through the use of cookies, without obtaining their prior, specific and granular consent. The Norwegian Data Protection Authority has found that in the absence of consent there is no valid legal basis for Disqus to collect and process this data, rejecting Disqus’ arguments that it can rely on its legitimate interests to legitimize its collection and processing of this data.

The Norwegian data protection authority concluded that Disqus had acted negligently in not activating its notification and consent tool for Norwegian data subjects, because it wrongly identified Norway as a non-GDPR country because it is not an EU member state. Although Norway is not an EU member state, it is a member of the European Economic Area, which includes other European countries that have also adopted the GDPR.

The Norwegian data protection authority justified the heavy fine due to the duration of the breach (around 18 months), the estimated volume of people affected (hundreds of thousands to millions), the inability to contain and mitigate the breach because the personal data collected had already been disseminated throughout the AdTech industry, the commercial and lucrative nature of the breach, the inclusion of minors in the group of data subjects and the sensitive nature of the personal data collected, which could be indicative of sensitive categories of data such as political opinions.

CLICK HERE to read the Dutch Data Protection Authority press release on the fine imposed on

CLICK HERE to read the Norwegian Data Protection Authority’s advance notice of administrative fine against Disqus, Inc.

Source link

Leave A Reply

Your email address will not be published.