News
2022 and 2023 in Baltic Data Protection
At the end of January, we celebrated Data Protection Day. To mark that annual occasion, TGS Baltic’s Data Protection Team compiled an overview of the key market and enforcement trends in the Baltic region in 2022 and our predictions and recommendations for 2023.
ESTONIA
Key market and enforcement trends in 2022
- Illegal video and audio surveillance
Similarly to previous years, the data protection authority (DPA) received many questions and complaints regarding the use of video surveillance (including audio surveillance). The main shortcomings identified by the DPA were failures to conduct legitimate interest assessments and properly notify data subjects. The biggest non-compliance levy that the DPA warned data controllers with was 105 000 euros in total (15 000 per each requirement that the DPA ordered the controller to fulfill).
- Shortcomings in privacy policies
In most supervisory proceedings, the DPA found some shortcomings in the data controller’s privacy policy and ordered them to be remedied (e.g., unclear specification of the purposes and legal basis for processing, retention periods, and recipients; failure to explain how legitimate interest assessments will be made available to data subjects; etc.). An average non-compliance levy that the DPA warned data controllers with was 5000 euros (maximum non-compliance levy for such violation was 20 000 euros).
- Absence of cookie consent forms
Previously the DPA was not very zealous in enforcing cookie regulations, which have not been properly implemented in Estonian local law. In 2022, however, several compliance notices were given for violations of cookie consent rules. The DPA explained in several cases that the requirement to obtain consent for placing non-essential cookies could be interpreted as being directly applicable from the e-Privacy Directive, while where personal data is involved, the consent requirement arises also from the GDPR. An average non-compliance levy that the DPA warned data controllers with was 5000 euros (maximum non-compliance levy for such violation was 20 000 euros).
Predictions for 2023
- The DPA’s practices most likely will not change but will become more detail-oriented
Pending more convenient measures (like administrative fines or changes to misdemeanor proceedings), we expect the DPA will continue its current practice of trying to achieve compliance via precepts and warnings (including non-compliance levies). Recall that Estonia’s legal system does not currently allow for the administrative fines envisaged in the GDPR, while sanctioning legal persons through misdemeanor proceedings is said to be inefficient and burdensome for all the parties. The DPA seems to be going into more detail on some topics and a single complaint by a data subject can lead to detailed inspection of multiple documents, from privacy policies to legitimate interest assessments.
- Hot topics
We expect that the DPA will continue enforcement with regard to surveillance cameras and employee monitoring in general, also making sure that privacy policies are detailed and specific. Furthermore, preventive joint supervision by the DPAs of the three Baltic countries in the field of short-term rental of vehicles (e.g., electric scooters) can be expected to yield results and recommendations.
LATVIA
Key market and enforcement trends in 2022
- Big fines have arrived
A fine of 1.2 million euros imposed on telecommunications provider Tet for unlawful processing of the personal data of an underage data subject was not the only surprise the DPA served up last year. In infringement proceedings against retailer DEPO DIY, the DPA first imposed a stunning 4.3 million euro fine for invalid consent, only to amend it later to a mere 17 495 euros upon appeal to the DPA director.
- The DPA knows what cookies you serve
Many companies received warnings from the DPA regarding the use of cookies on their websites last year. Those who hastily complied with the guidance in the warnings mostly escaped unharmed. Failure to swiftly show due respect for the GDPR and the DPA was penalized with infringement proceedings, though so far, to the extent publicly known, none have ended in large fines.
- Sectoral supervision
The DPA approached several companies and performed in-depth audits in a context of preventive sectoral supervision. The results and, hopefully, useful data processing guidelines, are expected in 2023. Meanwhile, companies in data-intensive sectors should be prepared for detailed inspections, including on short notice.
Predictions for 2023
- The DPA is expected to be less lenient
The staff hired by the DPA in 2020-2021 has now gained experience and is not afraid to challenge seasoned data protection lawyers. We expect to see a few big fines in 2023, though the DPA will likely continue its practice of mostly imposing warnings and fines of less than 15 000 euros, which generally are not appealed. But the DPA is likely to be less lenient towards outdated or insufficient compliance documents, such as risk assessments.
LITHUANIA
Key market and enforcement trends in 2022
- Data subjects ready and able to defend their rights
An end-of-year survey conducted for the DPA showed that more Lithuanians know their rights as data subjects and have acquainted themselves with the GDPR, as well as that more people are willing to do research and look up information they do not know or understand when they encounter improper data processing.
That could be why more than 85 percent of significant rulings passed by the DPA this year resulted from investigations started based on the complaint of a data subject. This trend shows that data subjects are more in touch with their rights and will go to the trouble of defending them, so proper compliance and management of data subject rights is becoming more important than ever.
- Health services
Health service providers were an object of special scrutiny by the DPA last year for a lack of due attention to the higher requirements for special categories of data. Rulings by the DPA show that (i) adherence to data processing principles enshrined in the GDPR (such as data minimisation and confidentiality) is a must, and (ii) that even if adequate procedures are in place, human error can still cause a breach. The latter shows that training is necessary in not only implementing, but also maintaining data security in your organization.
Predictions for 2023
- Cookies and data protection officers
The DPA’s efforts last year mainly focused on how well data controllers in the public and private sectors comply with requirements related to cookies and on the implementation of requirements for the work of DPOs.
The DPA organized a training session for managers and DPO’s in late 2022. Based on the findings of investigations, we may see guidelines or “dos and don’ts” from the DPA. This, in turn, could be a useful tool for brushing up an organization’s procedures for data management and oversight.
- Sectors of interest
The results of and recommendations deriving from the preventive joint supervision of the DPAs of the three Baltic countries in the field of short-term rental of vehicles (e.g., electric scooters) can be expected.
However, the final activity reports are still under preparation and other sectors may also be subjected to coordinated audits.
TGS BALTIC RECOMMENDATIONS FOR 2023
Train your people! Given the increasing number of data breaches and other security incidents that may trigger notification obligations as well as the access and other requests from informed data subjects, it is essential that all employees understand your obligations and be able to properly handle any breaches, incidents, and requests. Mere procedures on paper are a start, but will not get you far.
Update your documents and procedures! While many companies made an effort to have all (or most) data-protection-related documents in place in 2018 when the GDPR became applicable, they have not kept those documents up to date, drafted other missing ones, or put the relevant procedures in place. Compliance is an ongoing process. Both changes in your own practices and new regulatory guidelines and practices require you to keep up to date.
Make sure your SCCs have been renewed! If you rely on Standard Contractual Clauses (SCCs) in your international data transfers, remember that new SCCs were introduced in 2021 and all old SCCs needed to be replaced by 27 December 2022.
Article provided by INPLP member: Mari-Liis Orav (TGS Baltic, Estonia)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010