Jowanna Conboye discusses implications of European data breach case with Compliance Week
A recent decision by the Austrian Data Protection Authority against food retailer REWE International underlines the fact parent companies are ultimately responsible for how their subsidiaries manage people’s data, even if the offshoot entity operates separately.
Compliance Week analyses the case, and Jowanna Conboye, Data Protection and Intellectual Property Partner explains:
“The principles of this case are very pertinent to many businesses in the UK and EU, particularly those with group structures. When it comes to liability and fines the GDPR looks at ‘undertakings’ – an established principle enshrined in competition law that looks at finances and control, and often ignores the distinction between different group companies. It will therefore be very hard for a parent company like REWE to argue that it is not liable for GDPR breaches by a subsidiary company.”