RegRally Insights: Data Protection and ICT Regulation

ECOVIS ProventusLaw invites you to its newest all-in-one essential compliance newsletter on personal data protection and ICT regulation.

DORA Compliance Self-Assessment Tool Now Available for Financial Institutions

We have launched a DORA Compliance Self-Assessment Tool to assist financial institutions in preparing for the Digital Operational Resilience Act (DORA) requirements, which will take full effect in January 2025. This tool thoroughly evaluates an organisation’s compliance status and digital resilience, addressing key regulatory areas critical to operational risk management.

This is the first and essential step towards DORA compliance – through self-assessment.

Key Features of the DORA Compliance Self-Assessment Tool:

Detailed Compliance Analysis: Covers essential DORA requirements, including ICT risk management, incident reporting, resilience testing, and third-party management.
Comprehensive Review: With approximately 200 targeted questions, the tool facilitates a complete assessment of digital resilience and operational risk practices.

More about DORA stages of life-cycle and the tool can be found here.

To learn more and request access, book a call with us to start assessing and strengthening your organisation’s DORA readiness.

2. Lithuania Strengthens Cybersecurity with New Law Aligned to EU Standards

On 18 October 2024, Lithuania enacted the updated Republic of Lithuania Law on Cybersecurity (“Cybersecurity Law”), which integrates key European Union regulations, including NIS Directive 2, the Cybersecurity Act, and the EU regulations establishing the European Centre of Excellence for Cybersecurity.

The revised law introduces a robust cybersecurity governance model, mandating clear guidelines for cybersecurity entities. Entities are now required to implement rigorous cybersecurity practices, including policy approval, risk analysis, incident reporting, supply chain security, and assigning designated cybersecurity officers. The manager of each cybersecurity entity must ensure compliance with violations leading to potential sanctions by the National Cyber Security Centre, including fines up to €10 million or 2% of global turnover, temporary management dismissals, and activity suspensions.

Additionally, the Lithuanian Government has approved new measures supporting cybersecurity, including the National Cyber Incident Management Plan, methodologies for identifying cybersecurity entities, and frameworks for enforcement. Read more here.

3. CJEU Clarifies “Legitimate Interest” Under GDPR for Commercial Data Processing

The Court of Justice of the European Union (CJEU) ruled on the use of “legitimate interest” under the GDPR for processing personal data for commercial purposes, like marketing, without user consent. The case involved the Royal Dutch Lawn Tennis Association (KNLTB), which shared member data with sponsors for marketing, resulting in a €525,000 fine from the Dutch Data Protection Authority.

The CJEU clarified that a controller’s commercial interest can be considered necessary under the “legitimate interest” basis, but only if:

The interest pursued is lawful and legitimate.
The data processing is necessary to achieve that interest.
The interest is not overridden by the data subject’s rights and freedoms.

The ruling emphasized that businesses must carefully balance their commercial interests with the protection of personal data under the GDPR.

4. Belgium DPA Imposes €40K Daily Fine for GDPR Cookie Banner Violations

The Belgian Data Protection Authority (DPA) imposed a €40,000 daily fine on a Belgian company for failing to comply with GDPR cookie consent requirements. The company:

Did not display both “accept all” and “reject all” buttons on the first layer of its cookie banner.
Used misleading colors to encourage users to consent by highlighting the “accept all” button, making it harder to reject cookies.

The DPA ruled that this practice increased the likelihood of users accepting cookies without proper choice, violating the GDPR‘s requirement for freely given, informed consent. The decision reinforces that rejecting cookies must be as easy as accepting them.

5. EDPB Draft Guidelines on Legitimate Interests under GDPR

On 8 October 2024, the European Data Protection Board (EDPB) issued Draft Guidelines 1/2024 on processing personal data based on legitimate interests under Article 6(1)(f) of the GDPR. The public consultation will run until 20 November 2024.

The Guidelines clarify that a legitimate interest must be lawful, specific, and real, and not merely speculative. The EDPB provides examples of legitimate interests, including online access, product improvement, and commercial interests. It also explains that data processing in the interest of a third party, like defending a legal claim, is permissible, but must not be confused with the broader public interest. Read more.

6. Irish DPC’s Final Decision on LinkedIn’s Data Processing Practices

The Irish Data Protection Commission (DPC) issued its final decision following an inquiry into LinkedIn. The inquiry, prompted by a complaint filed with the French Data Protection Authority, focused on LinkedIn’s processing of personal data for behavioral analysis and targeted advertising.

Key Findings:

Consent: LinkedIn did not validly rely on Article 6(1)(a) (consent) to process third-party data for behavioral analysis and targeted advertising, as consent was not freely given, sufficiently informed, specific, or unambiguous.
Legitimate Interests: LinkedIn failed to rely on Article 6(1)(f) (legitimate interests) for processing both first-party and third-party data, as its interests were overridden by the data subjects’ rights and freedoms.
Contractual Necessity: LinkedIn did not validly use Article 6(1)(b) (contractual necessity) to process first-party data for the same purposes.