The past week (or so) in data protection

It’s time for a short bite-sized round-up of the data protection stories which caught my eye over the last week or so.

• Another set of new SCCs are on the way in 2025! These will cover transfers to importers which are directly subject to the GDPR. Unfortunately it means that organisations will need to do another round of updates to data transfer agreements to incorporate the new clauses. One challenging issue may well be determining which importers are subject to the GDPR and which are not in relation to each transfer (Article 3 GDPR being a tricky beast), and therefore which clauses should apply in each case. 
   
• There were two interesting CJEU AG Opinions published this week.
  • In the first (C-383/23), the AG confirmed that for the purpose of calculating the maximum amount of a GDPR fine the term “undertaking” must be interpreted in line with EU competition law. In practice (depending on the influence the parent can have on its subsidiaries) this can often mean that the turnover of the whole group of companies will be taken into account rather than of the specific controller or processor. However, the AG went on to say that whilst the concept of “undertaking” is relevant for setting the maximum fine, it is not a specific factor for determining the actual fine and therefore supervisory authorities should not necessarily use group turnover as the main or only reference for setting the fine.
  • In the second (C-203/22), the AG found that where a controller is required to provide “meaningful information” about the logic and consequences of automated decision making in response to a DSAR, this means they must provide clear and understandable information which would enable the data subject to challenge the decisions made. However, the controller is not obliged to disclose complex algorithms and technical details.
     
• The ICO has issued a reprimand against an online gambling website for deploying cookies before a consent pop-up was displayed to users. Whilst the ICO only chose to reprimand in this case (possibly because the website rectified the issue as soon as it became aware of it), it does demonstrate the ICO’s continuing scrutiny of adtech and cookies compliance.
   
• In an interesting decision relevant to assessing “risk” and “high risk” when it comes to data breach notification, the Polish DPA fined a bank a little under €1m for a data breach involving the erroneous disclosure of documents to another bank. The recipient bank promptly returned all the documents and, whilst it was probable that the recipient’s employees had read the documents, the controller took the view that the risk was minimal because of banking secrecy obligations which applied to the recipient. It therefore notified the DPA but not the individuals concerned. The DPA disagreed with that approach and found that the controller had not properly assessed that there was in fact a high risk.