DATA PROTECTION

Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679

Date 10/20/2017.

The Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, wp248rev.01, are available at here.   The GDPR requires controllers to implement appropriate measures to be able to demonstrate compliance with the GDPR itself, taking into account among others […]

Spanish DPA issues Eur 1.2 million fine to Facebook

Date 10/08/2017.

On September 11, 2017, the Spanish Data Protection Agency (AEPD) issued a closing resolution against Facebook deeming that the company doesn’t process data in accordance with EU data protection law. According to the AEPD, Facebook “collects data on ideology, sex, religious beliefs, personal preferences or browsing activity without clearly informing about how and for what purpose it will use […]

Belgian DPA publishes template to record processing activities

Date 10/02/2017.

On August 30, 2017, the Belgian Data Protection Authority, Commissie voor de bescherming van de persoonlijke levenssfeer (CBPL) published a template to help organizations to meet their duty to record processing activities under Article 30, GDPR. The template is available in Dutch and French and can be downloaded here. In June 2017, the Belgian DPA had published a a recommendation […]

A reminder: breach of privacy can happen by mailing (as happened to Aetna)

Date 09/08/2017.

  We are accustomed to high-tech breach of privacy, however we should not forget that our personal information can be appropriated also through more traditional mistakes. It happened to Aetna. The insurance giant sent by mail envelopes with a large clear window through which anyone could see the name and address of the intended recipients. […]

New York City Bar Opinion 2017-5 on lawyer’s duty of confidentiality when crossing borders

Date 08/23/2017.

On July 25, 2017, the New York City Bar issued Formal Opinion 2017- 5, which concludes that lawyers have a duty to protect clients’ confidential information from disclosure. This duty stretches to U.S. border agents searching electronic devices. Lawyers shall take “reasonable precautions” to avoid disclosure of clients’ confidential information. Such precautions will vary based […]

New Jersey adopts Personal Information and Privacy Protection Act

Date 08/02/2017.

On July 21, 2017, New Jersey adopted the “Personal Information and Privacy Protection Act.” According to the law, retailers may scan an ID card only under certain circumstances. By “scanning” the law means to access the barcode or any other machine-readable section of the card “with an electronic device capable of deciphering, in an electronically […]

Implementation of the data protection impact assessment according to the GDPR

Date 07/27/2017.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR). Regulation (EU) 2016/679, repeals Directive 95/46/EC and expands on […]

Conseil d’Etat requests preliminary ruling from CJEU on Right to be Forgotten

Date 07/25/2017.

The right to be forgotten has been judicially recognized by the CJEU with the Google Spain judgment  (Case C-131/12). According to the judgement, Europeans have the right to disappear from search engine’s results under certain conditions. The National Commission of Information Technologies and Liberties (CNIL), Commission nationale de l’informatique et des libertés, rejected some complaints […]

ICO issues data protection self assessment toolkit

Date 06/21/2017.

  The United Kingdom DPA, the Information Commissioner Officer (ICO), published an interactive checklist fro organizations to assess  compliance with the Data Protection law and to explain how to comply the GDPR, The ICO’s toolkit includes the following topics: Data protection assurance Getting ready for the GDPR Information security Direct marketing Records management Data sharing and subject access […]

Ardi Kolah, Cloud Service Providers under the GDPR

Date 06/16/2017.

The author discusses how cloud service providers may be considered Data Processor under the EU General Data Protection Regulation (GDPR) if they provide “data processing services (e.g. storage) on behalf of the Data Controller without determining the purposes and means of processing (Art.4(7) and (8), GDPR).” The article draws a line between duties and responsibilities […]