We aim to analyze herein the implications of a long-term activity performed by a data protection officer (DPO) answering to questions including: Can the data protection officer, whether employed or outsourced, be sanctioned when it is established that the company is in breach of data processing rules? If yes - when, by what means and to what extent?
While CNIL’s recent decision to fine Google is still subject to legal challenge from Google, it is relevant to look into CNIL’s position in this matter, from the perspective of its potential impact on the future positions of other data protection authorities in similar matters and the risks associated with GDPR. The article below relies on publicly available sources and does not aim to draw any conclusions on the merits of the case or make any assessment of the respective factual situation of the matters to which CNIL’s decision refers to, but rather to look into CNIL’s reasoning and outline key aspects for consideration going forward by the market players.
Bucharest, April 11th 2019
Under the GDPR, every data controller that processes personal data through a data processor must conclude a GDPR-compliant data processing agreement with the processor. Parties may seek to negotiate the allocation of liability and shift it towards the other party. When doing this in Romania, we look at the interplay with the rules of the main forms of liability set out in the law.
Recent practice in the Romanian dispute resolution landscape has shown a rise in (i) litigation involving wrongful decisions concerning unpaid tax, lack of liquidities, and consequent lack of debt settlement, and (ii) cases of fraudulent acts linked to insolvent companies, mostly committed prior to the commencement of the insolvency proceedings.