September 2020
European Data Protection Days

The European Data Protection Days have been postponed for May 17-19, 2021. They will take place in Berlin, Germany. For more information, registration and conference programme and agenda check here.

September 2020
GDPR Enforcement Tracker

In this website you can find a list and overview of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation. The website is updated on a regular basis, and data can be filtered by country, breach, amount of fine etc.

September 2020
The European Data Protection Board has published for public consultation the Guidelines on the concepts of controller and processor and the Guidelines on the targeting of social media users

At its 37th plenary, held on 4 September 2020, the European Data Protection Board (EDPS) adopted Guidelines on the concepts of controller and processor under the General Data Protection Regulation and Guidelines on the Targeting of Social Media Users.

The EDPS has adopted Guidelines on the concepts of controller and processor under the General Data Protection Regulation. Since the entry into force of the Regulation, questions have arisen as to the extent to which it has changed these concepts, in particular with regard to joint controllers and the obligations of processors of personal data. The guidelines consist of two main parts - one explaining the different concepts and another including detailed guidelines for administrators, processors and joint administrators. The guidelines include a diagram that provides additional practical explanations.
The guidelines on the concepts of controller and processor under the General Data Protection Regulation have been published for public consultation, which will take place until 19 October 2020 - HERE.

The EDPS has also adopted Guidelines on targeting social media users. The guidelines aim to provide practical explanations and contain various examples of various situations so that stakeholders can quickly identify the "scenario" that is closest to the targeting practice they intend to implement. The main purpose of the guidelines is to clarify the roles and responsibilities of the social media provider and the targeted object. To this end, the Guidelines identify potential risks to the freedoms of individuals, key players and their roles in targeting, the application of key data protection requirements such as legality, transparency and data protection impact assessment, as well as key elements of agreements between providers of social media and individuals. In addition, the Guidelines focus on the various targeting mechanisms, the processing of special categories of data and the obligation of joint controllers to put in place an appropriate agreement under Article 26 of the GDPR.

The Guidelines on targeting social media users have been published for public consultation, which will take place until October 19, 2020 - HERE.


September 2020
9th Data Protection Convent in Poland

On the 7th of October 2020, the 9th Data Protection Convent, organised by Lubasz and Partners – an Attorney-in-Law’s Office and the  auditing company  FORSAFE, will be held online. Data protection specialists from the worlds of science, administration and business will discuss the implications of GDPR, as well as any updates that need to be made in the personal data protection law. New trends in cybersecurity will be also presented. The agenda also includes workshops and, for the first time in the history of the Convent, a debate with the participation of the authors and editors of the comments to GDPR and a second one – with experts in data security.

More information and registration at

September 2020
Spanish Data Protection Authority (AEPD) imposes fine on company for not complying with advertisement exclusion.

The Spanish Data Protection Authority (AEPD) imposed a fine of 1.200 EUR on a company for calling the data subject, offering them a deal on hotels, while they were included in an advertisement exclusion system. By joining this system, the data subject exercised their right to object to processing for marketing purposes under Article 21 GDPR. However, the company did not comply with its obligation of consulting the advertisement exclusion system before making a telephone call with marketing purposes in order to avoid processing their personal data.
The data subject received a call from the data controller’s number, stating that a friend of them had provided the company with their telephone number so that they offer them a hotel voucher, naming other friends of theirs and declaring that they had joined the promotion.
The AEPD considered that this constitutes a breach of Article 48(1)(b) of the Spanish Law 9/2014 General Telecommunications.

SOURCE: European Data Protection Board

September 2020
The European Union Court of Justice (CJEU) invalidated the EU-US framework for regulating transatlantic exchanges of personal data for commercial purposes (Privacy Shield)

On July 16, 2020, the European Union Court of Justice (CJEU) invalidated the EU-US Privacy Shield, a framework approved by the European Union and US government for complying with EU data protection requirements when data is transferred between the United States and the European Economic Area (EEA).

The European Court of Justice in Luxembourg determined that the Privacy Shield transfer mechanism does not comply with the level of protection required under the European privacy rights law. The decision will impact more than 5.000 companies in the EU and the US using the system since its creation in 2016.

The court’s decision will drastically change the way companies trade data across the Atlantic whose will be forced to find new legal mechanisms to continue moving data which may be responded by storing more data inside the European Union. Companies must be sure that a government outside Europe meets European privacy standards, cautioned the decision.

According to Didier Reynders, European commissioner for justice, “The judgment is another steppingstone in the E.U. commitment to ensuring that personal data is fully protected in the E.U. and its transfers outside of the E.U.”

SOURCE: The New York Times

August 2020
Fines paid by European countries under GDPR

Finbold has ranked EU countries according to the amount and number of fines and penalties the authorities imposed under GDPR in those countries. The biggest number of fines was imposed in Spain (46) and Italy has paid the biggest total of fines (45,609,000 EUR). The total GDPR fine of European countries is 60,181,250 EUR).

The ranking is available here:

July 2020
Awarding the finalists of the Student’s essay competition, Bulgaria

On July 17, 2020, the Official award ceremony of the finalists of the Annual student competition organized by the Commission for Personal Data Protection (CPDP) in Bulgaria took place. The Student’s essay competition was announced on the occasion of the Day of Personal Data Protection - January 28, celebrated each year in a number of countries around the world.
The competition is the first annual initiative of its kind organized by a national data protection authority in the European Union. The initiative aims to involve young people in seeking solutions to the challenges of personal data protection in the context of digitalisation and globalization, covering all spheres of life.
At the first stage, the participants wrote an essay on the topic: “Emerging technologies and personal data protection - legislation and practical application”. 5 candidates were admitted to the second round of the student’s competition. Within 10 minutes each of them defended their ideas in front of the competition committee with a pre-created presentation and exposition.
This year's winner in the student’s essay competition of the Commission for Personal Data Protection in Bulgaria is Irena Alexandrova. Her essay grabs from the beginning: "May 2020, humanity is experiencing catharsis, the world is facing the biggest challenge so far, and technology is about to take over our familiar world and replace it with a whole new universe of rules and boundaries". Her essay impresses with her understanding of the development of technology, artificial intelligence (AI) and the Internet of Things, while focusing on possible ways to introduce specific uniform standards in the field of personal data protection legislation and their practical application. The winner received a diploma, a cash prize of BGN 1,000, a smartphone and a paid one-month internship at the Commission for Personal Data Protection.


June 2020
SMEs and Business Consultants: GDPR needs and preferred training, learning and support tools

Starting right before the COVID-19 outbreak in Europe, the project partners have concluded a wide research in Bulgaria, Greece, Poland and Spain, to find those needs of SMEs and consultants to be covered, in order to collaborate in the creation of a data protection culture within enterprises. The results of our survey (both through an online questionnaire and interviews) are going to guide us in developing the right approach and training content for business consultants to work together with SMEs in GDPR related issues, and above all, in adopting a data protection philosophy throughout their everyday processes! Several priorities for both SMEs and consultants came to the surface depending on country-specific conditions. However, some main aspects seem to be common across all four countries and they have to do with the following:

• Gaining a deeper understanding about the general requirements of GDPR
• Having the ability to clearly understand where each SME stands in terms of obligations towards GDPR (moving from general understanding to the particular case of ‘my SME’)
• Making a step further, beyond the sanctions and penalties attitude, towards looking at GDPR as opportunity for a new business model with lots of benefits for both the internal organization of an SME and its customer base as well.

These points, plus more and very useful feedback we received, are guiding our next steps into the development of training material that will be offered online and free to business consultants.

Stay tuned for a more detailed account of the MindTheData research results, which will be made available here, in the News section.

April 2020
Mindthedata and Covid-19

During this hard period for all we continue working and try to make ends meet by proceeding with our project through remote working. We wish all the best for everyone to get out of this situation! We will resume our News feeds soon, so stay tuned! Stay safe and protect yourselves and the others!

November 2019
EU project mindthedata kicked-off in Yambol, Bulgaria

The Yambol Chamber of Commerce and Industry hosted the first meeting of the mindthedata project on the 7th and 8th of November 2019. During this first get-together of the partnership, we discussed the course of action for our project, where each partner brought in first hand knowledge about the situation in GDPR compliance among SMEs in their own countries. We set up the schedule of what we need to know in the first place before laying down a training and learning concept for consultants and SMEs that will be attractive and to the point. Hence, we left Yambol with a clear overview about our goals and we plan to start with our first activity which is about collecting data from SMEs and business consultants just before Christmas and into the New Year 2020.