Tag Archives: Dr. Carolin Raspé

The Risks of Fraudulent CCPA Access Requests – Guidance from a $10.7 Million GDPR Fine for Poor Customer Authentication

by Avi Gesser, Daniel Forester, Will Schildknecht, Jennifer Leather, and Dr. Carolin Raspé (Hengeler Mueller) 

Both the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) require companies to respond to customer data access requests. But how do you know that the person making the request is actually who they say they are? As we have previously noted on Davis Polk’s Cyber Blog, significant amounts of personal information are publicly available as a result of major data breaches, and that stolen data can be used to make fraudulent access requests. So, how can a company avoid turning a good-faith effort to comply with its GDPR or CCPA access rights obligations into a privacy violation by unknowingly providing the personal information of customer X to someone pretending to be customer X? A recent GDPR enforcement action in Germany, as well as guidance from German and California regulators, shows that companies must exercise diligence in making sure that they have properly authenticated the data subject who is making the access request. Continue reading

A 14.5 Million Euro Fine for Failing to Get Rid of Old Files – Data Minimization Is Becoming a Stand-Alone Cybersecurity Obligation

by Avi Gesser, Matthew Kelly, Will Schildknecht, Dr. Vera Jungkind (Hengeler Mueller), and Dr. Carolin Raspé (Hengeler Mueller)

We have written several times here over the last few years about data minimization being an important part of an effective cybersecurity program.  For most companies, the total amount of data that they control grows substantially each year, and more data generally creates more data protection risks.  Companies that have implemented effective data minimization programs are careful to collect only the data that they are likely to use, and routinely get rid of old data that they no longer need, thereby significantly reducing their data protection risks.  A recent enforcement action by the Berlin Data Protection Commissioner echoes recent U.S. regulatory developments in suggesting that companies without data minimization procedures face not only increased cybersecurity and privacy risks, but also regulatory risks—ones that can lead to penalties even when they don’t lead to a specific cyber incident.  In other words, data minimization is becoming a stand-alone regulatory obligation, in addition to being a key component of cybersecurity best practices. Continue reading