New month means only one thing – new "Keep up overview" is here.

So far you could come to conclusion that we love to keep track and share with you the most exciting and interesting news regarding GDPR or European Union. So, this month we also highlighted a few.

We want to start this time with something different - cryptocurrency. You can say that cryptocurrency became normal to us, but when we talk about any new theme, we want to start from the definition.

Cryptocurrency is a digital display of values ​​or rights that can be stored and traded electronically. So, we can agree on the fact that there is a whole new world is out there and once again, European Union is making sure that we are always legislatively prepared for everything. This autumn the European Commission has adopted a new package on digital finance that includes a legislative proposal on cryptocurrency. The proposed legislative framework is the Regulation of Markets in Crypto-assets (MiCA) which aims at innovation, financial stability and protection of investors from risk. What we emphasize in particular is the envisaged "passport system", where an operator authorized to operate in one EU state member can provide services throughout the Union.

Perhaps the most interesting information is how the Commission is proposing a trial regime for those markets that want to try trading and settling transactions in financial instruments in the form of cryptocurrencies. Such a regime would take place in a controlled environment and would allow for temporary deviations from existing regulations, all for the purpose of gaining experience and responding to risks that threaten investors, the market and financial stability.

So, this is a small step for humanity, but a big step for many cryptocurrency investors and EU.

Also, we came across this interesting, “worth reading” news we want to share with you.  

This crazy story is about H&M’s data protection violation.

Here is the short version – since at least 2014, the company registered in Hamburg and operates a service center in Nuremberg has been subject to extensive recording of details about their employees private lives.

They’ve been recording talks with their employees about vacations and sick leave on so called “Welcome Back Talks”. They would ask them about their symptoms of illness and diagnoses. In addition, some supervisors acquired a broad knowledge of their employees' private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs.
Those kind of information was digitally stored, have been used and readable by up to 50 managers throughout the company.

So, Hamburg Commissioner for Data Protection and Freedom of Information imposed a 35.3 million euro fine for data protection violations in H&M's Service Center.
The company complied and submitted a data record of around 60 gigabytes for evaluation. Interrogations of numerous witnesses confirmed the documented practices after analyzing the data.

So, here is how they got caught.

The point is that their system had an error and press reported about it - in October 2019 due to a configuration error the data collection became known and Hamburg Commissioner for Data Protection and Freedom of Information was informed through the press reports. He first ordered the contents of the network drive to be "frozen" and then demanded it to be handed over.
Various corrective measures have been taken.

The HmbBfDI was presented with a comprehensive concept how data protection is to be implemented at the Nuremberg site from now on. The company management has not only expressly apologized to those affected, it has also followed the suggestion to pay the employees a considerable compensation. This is an unprecedented acknowledgement of corporate responsibility following a data protection incident.

Further elements of the introduced data protection concept include a newly appointed data protection coordinator, monthly data protection status updates, increasingly communicated whistleblower protection and a consistent concept for dealing with data subjects’ rights of access.

We can always learn something from this kind of stories.

Stay tuned, because soon we are going to share with you something big.

Take care!

Your AP team