The UK data protection regulator, the Information Commissioner’s Office (ICO), has issued its first enforcement notice under the General Data Protection Regulation (GDPR). The notice is particularly noteworthy because it has been issued against a company located in Canada, which does not appear to have any presence within the EU. The ICO found that the company, AggregateIQ Data Services Ltd, failed to comply with the GDPR in a number of ways, including by processing personal information in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing. It is understood that the notice is being appealed. The extraterritorial reach of the GDPR is as yet untested and, without any regulatory guidance as to interpretation, how that appeal plays out may be an early indicator as to the issues that could arise in extra-territorial enforcement under the GDPR. For further information, see the article written by our data protection team, which was first published in the November 2018 issue of PLC Magazine.
Key contacts
Steve Bell
Managing Partner - Employment, Industrial Relations and Safety (Australia, Asia), Melbourne
Emma Rohsler
Regional Head of Practice (EMEA) - Employment Pensions and Incentives, Paris
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.