PRESS RELEASE / October 2021

SMEs and GDPR: The mindtheDATA info days

Download pdf

PRESS RELEASE / October 2021

Testing the mindtheDATA online platform with business consultants

Download pdf

September 2021
Things to learn from the 20 biggest GDPR fines (2019-2021)

Read the article and have a look at the GDPR violations and how they could be avoided. This is NOT and issue for mega companies only! Could happen to the small company next door as well. Read the article here (in English)

PRESS RELEASE / August 2021

Supporting SMEs in personal data protection and the GDPR: A multilingual and free online platform for business consultants

May 2021
Data protection and working from home

In this article by ico.we can find interesting advice about things companies and employees should know when working from home.

Read the article here and use the clickable items for further advise (in English)

April 2021
The "side effects" of GDPR in the COVID-19 pandemic

From the collection of health data of employees in the form of thermal camers for example, to biomedical research procedures, GDPR is maybe "begging" for some updates. Read more about the issue in this article (in English)

April 2021
GDPR 2021: data protection and access to personnel files

Dealing with personal data, such as that of employees and customers, is often an unforeseen difficulty for SMEs. Read the article here (in English)

March 2021
Commission evaluation report on the implementation of the General Data Protection Regulation two years after its application

On the 25th of March 2021, the European Parliament has published the resolution of the Commission evaluation report on the implementation of the General Data Protection Regulation two years after its application. Regarding SMEs in paticular, it is stated that: ...some stakeholders report that the application of the GDPR has been particularly challenging, especially for small and medium sized enterprises (SMEs), ...and more support, information and training should be made available by national authorities and Commission information campaigns in order to help increase knowledge, the quality of implementation and awareness of the requirements and purpose of the GDPR.

Click here to read the report (available in 21 EU languages)

September 2020
European Data Protection Days

The European Data Protection Days have been postponed for May 17-19, 2021. They will take place in Berlin, Germany. For more information, registration and conference programme and agenda check here.

September 2020
GDPR Enforcement Tracker

In this website you can find a list and overview of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation. The website is updated on a regular basis, and data can be filtered by country, breach, amount of fine etc.

September 2020
The European Data Protection Board has published for public consultation the Guidelines on the concepts of controller and processor and the Guidelines on the targeting of social media users

At its 37th plenary, held on 4 September 2020, the European Data Protection Board (EDPS) adopted Guidelines on the concepts of controller and processor under the General Data Protection Regulation and Guidelines on the Targeting of Social Media Users.

The EDPS has adopted Guidelines on the concepts of controller and processor under the General Data Protection Regulation. Since the entry into force of the Regulation, questions have arisen as to the extent to which it has changed these concepts, in particular with regard to joint controllers and the obligations of processors of personal data. The guidelines consist of two main parts - one explaining the different concepts and another including detailed guidelines for administrators, processors and joint administrators. The guidelines include a diagram that provides additional practical explanations.
The guidelines on the concepts of controller and processor under the General Data Protection Regulation have been published for public consultation, which will take place until 19 October 2020 - HERE.

The EDPS has also adopted Guidelines on targeting social media users. The guidelines aim to provide practical explanations and contain various examples of various situations so that stakeholders can quickly identify the "scenario" that is closest to the targeting practice they intend to implement. The main purpose of the guidelines is to clarify the roles and responsibilities of the social media provider and the targeted object. To this end, the Guidelines identify potential risks to the freedoms of individuals, key players and their roles in targeting, the application of key data protection requirements such as legality, transparency and data protection impact assessment, as well as key elements of agreements between providers of social media and individuals. In addition, the Guidelines focus on the various targeting mechanisms, the processing of special categories of data and the obligation of joint controllers to put in place an appropriate agreement under Article 26 of the GDPR.

The Guidelines on targeting social media users have been published for public consultation, which will take place until October 19, 2020 - HERE.


September 2020
9th Data Protection Convent in Poland

On the 7th of October 2020, the 9th Data Protection Convent, organised by Lubasz and Partners – an Attorney-in-Law’s Office and the  auditing company  FORSAFE, will be held online. Data protection specialists from the worlds of science, administration and business will discuss the implications of GDPR, as well as any updates that need to be made in the personal data protection law. New trends in cybersecurity will be also presented. The agenda also includes workshops and, for the first time in the history of the Convent, a debate with the participation of the authors and editors of the comments to GDPR and a second one – with experts in data security.

More information and registration at

September 2020
Spanish Data Protection Authority (AEPD) imposes fine on company for not complying with advertisement exclusion.

The Spanish Data Protection Authority (AEPD) imposed a fine of 1.200 EUR on a company for calling the data subject, offering them a deal on hotels, while they were included in an advertisement exclusion system. By joining this system, the data subject exercised their right to object to processing for marketing purposes under Article 21 GDPR. However, the company did not comply with its obligation of consulting the advertisement exclusion system before making a telephone call with marketing purposes in order to avoid processing their personal data.
The data subject received a call from the data controller’s number, stating that a friend of them had provided the company with their telephone number so that they offer them a hotel voucher, naming other friends of theirs and declaring that they had joined the promotion.
The AEPD considered that this constitutes a breach of Article 48(1)(b) of the Spanish Law 9/2014 General Telecommunications.

SOURCE: European Data Protection Board

September 2020
The European Union Court of Justice (CJEU) invalidated the EU-US framework for regulating transatlantic exchanges of personal data for commercial purposes (Privacy Shield)

On July 16, 2020, the European Union Court of Justice (CJEU) invalidated the EU-US Privacy Shield, a framework approved by the European Union and US government for complying with EU data protection requirements when data is transferred between the United States and the European Economic Area (EEA).

The European Court of Justice in Luxembourg determined that the Privacy Shield transfer mechanism does not comply with the level of protection required under the European privacy rights law. The decision will impact more than 5.000 companies in the EU and the US using the system since its creation in 2016.

The court’s decision will drastically change the way companies trade data across the Atlantic whose will be forced to find new legal mechanisms to continue moving data which may be responded by storing more data inside the European Union. Companies must be sure that a government outside Europe meets European privacy standards, cautioned the decision.

According to Didier Reynders, European commissioner for justice, “The judgment is another steppingstone in the E.U. commitment to ensuring that personal data is fully protected in the E.U. and its transfers outside of the E.U.”

SOURCE: The New York Times