REWE International $9M GDPR fine a lesson in managing subsidiary risk
By 
Neil Hodge2022-01-25T19:24:00
A recent decision by the Austrian Data Protection Authority against food retailer REWE International underlines the fact parent companies are ultimately responsible for how their subsidiaries manage people’s data, even if the offshoot entity operates separately.
Related articles
-
ArticleGDPR enforcement roundup: Austrian Post facing new record fine
The Austrian Post is once again appealing what would be a record GDPR fine in the country after successfully defending itself in the first instance. Other recent decisions under the law provide further enforcement trends.
-
ArticleTrio of U.K. fines expose third-party risks under GDPR
Recent GDPR fines against British Airways, Marriott, and Ticketmaster by the U.K. Information Commissioner’s Office each saw the regulator dismiss claims by the companies that third parties were primarily responsible for the data breaches in question.
-
Article
In second drastic reduction, ICO fines Marriott $23.8M
The Marriott GDPR fine handed down by the U.K. Information Commissioner’s Office is less than 20 percent of the original number the regulator proposed, the second time this month such a drastic reduction has taken place.
More from Regulatory Enforcement
-
ArticleSan Francisco firm pays $11.4M for alleged Russia-related sanctions violations
A San Francisco-based private equity firm has agreed to pay $11.4 million to settle allegations it violated U.S. sanctions rules by handling investments for a sanctioned Russian oligarch.
-
ArticleCompany agrees to report to FTC for 10 years for alleged student data lapses
A tech company that stores student information for schools has agreed to implement a data security program and report to the Federal Trade Commission for 10 years, after security failures led to data for 10 million students being breached.
-
ArticleLarge wound care practice pays $45M, agrees to monitoring
One of the largest wound care practices in the nation and its founder have agreed to pay $45 million and be subjected to third-party monitoring, to settle allegations that the business intentionally overbilled Medicare by priming its electronic medical records system to do so.