The Liechtenstein data protection authority has issued guidance on joint controllership under GDPR:
Examples of joint controllers:
1.If two companies jointly organize a competition in which the name and address are...more
Do I have to disclose documents with confidential internal correspondence, and comments from my staff as part of a GDPR data subject access request? The Court of The Hague says “Yes, you do.”...more
Who is responsible for putting a GDPR Article 28 Data Processing Agreement in place?
Dutch Data Protection Authority, Autoreitpersoonsgegevens, says: BOTH the data controller and the data processor....more
“Since the [EU US Privacy Shield] Framework’s implementation on August 1, 2016, more than 5,000 companies have made public and legally enforceable pledges to protect data transferred from the EU in accordance with the Privacy...more
Under the Bahrain Personal Data Protection Law (PDPL), which came into effect on August 1, 2019, organizations need to obtain consent from customers in order to collect, process, store and use their personal information for...more
The Higher Regional Court of Cologne Germany has held that internal recorded statements, conversation notes or telephone notes constitute personal data and copies of them must be disclosed in response to a data access...more
The Belgian Data Protection Authority holds that a Data Protection Officer (DPO) may not himself/herself delete personal information of a data subject.
Doing so constitutes a violation of the General Data Protection...more
The Hellenic DPA has issued an opinion regarding the appropriate legal basis for processing employee data under GDPR:
Consent should be used as the legal basis only where the other legal bases do not apply....more
A Facebook “like” is actually more like “in a [Joint Controller] relationship” status, says the Court of Justice of the EU in a long awaited decision in the Fashion ID matter.
At issue: The legal framework surrounding...more
The European Commission has published a report looking at the impact of the EU data protection rules, and how implementation can be improved further....more
“The decision to impose documentation requirements, rather than bright line rules, represents a significant departure from how the government traditionally aims to protect the public. It is akin to if federal regulators,...more
Big Picture Takeaways:
Facebook faces many detailed requirements for internal and external governance and oversight with extensive reporting requirements...more
7/25/2019
/ Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Security ,
Data-Sharing ,
Facebook ,
Federal Trade Commission (FTC) ,
Fines ,
Personal Data ,
Personally Identifiable Information ,
Privacy Policy ,
Social Media
The Danish Data Protection Authority has issued guidance on the transmission of personal data via text messages (SMS).
Key takeaways:
Sending personal data by SMS is risky as it entails transmission in clear text, over...more
The European Data Protection Board (EDPB) has issued an opinion on the standard contractual clauses proposed by the Denmark Data Protection Authority that contains important takeaways for drafting and negotiating of all...more
If you retain personal data indefinitely, or have not given thought to your retention schedule – now may be the time to take another look.
The Danish Data Protection Authority has fined a furniture store 200,000 EUR for...more
The Federal Trade Commission (FTC) has entered into a settlement with a provider of management software for car dealerships that held personal information, including SSN’s and payroll information, in cleartext, holding its...more
Spotlight on adequate/reasonable protections to personal information – Part 1 – France.
CNIL fined a real estate company 400,000 EUR for failure to implement adequate protections to personal data in violation of GDPR....more
“The game-changing rules [of GDPR] have not only made Europe fit for the digital age, they have also become a global reference point,” say Andrus Ansip, Vice-President for the Digital Single Market and Vera Jourová,...more
The French Data protection authority, CNIL, has issued a “Developer Kit” setting forth best practices for data protection.
Key takeaways:
Before using a development tool, especially for personal data, read the...more
The Lithuanian data protection inspectorate issued a 61,500 EUR fine against a payment services provider for violations of the data minimization, adequate security measures and data breach reporting requirements of GDPR....more
The California Consumer Privacy Act (CCPA), a broad-based law protecting information that identifies California residents, was passed in June 2018 and will take effect in 2020. Dubbed “GDPR Lite,” to denote its similarities...more
“The right to be forgotten does not apply in principle to medical records. However, as a patient, you may ask your health care provider to remove data from your medical record,” according to the Dutch Data Protection...more
The Dutch Data Protection Authority makes six recommendations on drafting your data protection policy, based on its audits of privacy policies of blood banks, IVF clinics and political parties.
A good data protection policy...more
The French Data Protection Agency CNIL recieved 11,077 complaints in 2018, up 32.5 percent compared to 2017.
Other highlights from the CNIL 2018 report-
CNIL carried out 310 investigations in 2018, of which 204 were...more
“Where the sponsor processes personal data of data subjects in the EU, including in the context of managing the clinical trial, GDPR is fully applicable, including the obligation to designate a representative in the...more