Now serving complaint #6241…

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has published guidelines on how it will prioritize the handling of complaints filed with it under the EU General Data Protection Regulation (GDPR).

Criteria include:

  1. How harmful is the alleged violation for the individual(s)? This depends on nature of data and nature of the violation.
  2. What is the broader social significance? For example, does the case involve processing of personal data by governments and in healthcare, trade in personal data, unreported data leaks and data leaks caused by serious shortcomings in security.
  3. To what extent will the DPA be able to act effectively, taking into consideration other complaints filed with it and its available manpower and budget?

If a complaint scores high on several criteria, there may be more reason for further investigation by the DPA. In exceptional circumstances, however, further investigation can be started with a low score on all criteria.

Read the full guidelines.

A total of 41 fines have reportedly been issued for GDPR violations across the various German states.

Violations included:

  • A clinic accidentally handed over a copy of a severely handicapped person’s ID card to the wrong patient.
  • Bank customers were able to see the bank statements of third parties in online banking.
  • Web shop customer data was copied without authorization following a hacker attack.
  • A hotel could not rule out that by an extortionate hacker attack, credit card or other customer data from its booking system fell into the wrong hands.
  • In a fire department of the country Bremen all phone calls were recorded, not only the emergency calls, but all outgoing and incoming calls.
  • Advertising mails, Dashcam use as well as open E-Mail distributors were the subjects of fines.

Details from Handelsblatt.