Included in this edition of Data & Privacy News: New changes to court process for privacy claims in England; ICO updates guidance on timescales for responding to data subject requests; Swedish DPA issues first GDPR fine for school trialling facial recognition technology; and more...


Mock Data Breach and GDPR Investigation Event

Would your business be prepared for a data breach? 

Come along to our Mock Data Breach event at our Leeds office on Thursday 12th September or our London office on Thursday 24 October to hear from experts about the impact it could have on your business, and how to prepare yourself post GDPR.

New changes to court process for privacy claims in England 

The Ministry of Justice has announced changes to the Civil Procedure Rules which will affect privacy and data protection claims. CPR 53 and the related pre-action protocol which covers defamation cases will be amended to include claims for misuse of private information, data protection and harassment by publication.

From the 1 October 2019, more detail will be required in letters of claim for data protection cases and all claims for data protection and misuse of private information must be brought in the High Court in London.

These changes could add costs to smaller and straightforward cases, though whether this acts as a deterrent in bringing claims for damages for data breaches (particularly class-action suits) remains to be seen.

ICO updates guidance on timescales for responding to data subject requests

The ICO have updated their guidance on timescales for responding to data subject access requests and individual rights requests, following a ruling by the Court of Justice of the European Union. The day of receipt is now 'day one' rather than the day after receipt, regardless of whether it is a working day or not. For example, a request received on 1 September would need to be complied with by 1 October, not 2 October.

The ICO have also updated their Individual Rights pages to account for this ruling.

Swedish DPA issues first GDPR fine for school trialling facial recognition technology

The Swedish Data Protection Authority (DPA) has fined the Skelleftea municipality £16,800 for breaching the GDPR after it trialled facial recognition technology on high school students to monitor their attendance.

The trial was conducted over a 3 week period on 22 students, tracking when each entered a specific classroom.

The DPA found that Skelleftea's local authority had unlawfully processed biometric data and had failed to complete an adequate impact assessment. 

This is the first GDPR fine issued by the Swedish DPA, with the watchdog indicating that the fine would have been bigger if the trial had been longer.

In the same week, the ICO launched an investigation into the use of live facial recognition technology at King's Cross Station.

Data breach hits MasterCard loyalty programme in Germany and Belgium

MasterCard has notified German and Belgium regulators of a data breach affecting customers of its 'Priceless Specials' loyalty programme after discovering it on the 19 August.

The Belgian Data Protection Authority stated that customer data from the loyalty programme had appeared on the internet for "a certain period of time".

Customer data included names, payment card numbers, email addresses, dates of birth, home addresses and phone numbers. 

MasterCard reported that a significant number of the victims were German but it notified the Belgian Authority as that is where their regional headquarters are situated. It also added that "there was an event involving the Priceless Specials loyalty platform in Germany managed by a third party vendor" which caused the distribution of the information on the internet.

Key Contacts

Ross McKenzie

Ross McKenzie

Partner, Commercial & Data Protection
Aberdeen, UK

View profile
Helena Brown

Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

View profile