Checklist for drafting your controller-controller data sharing agreement (from the ICO Data Sharing Code of Conduct now out for public consultation): What is the purpose of the data sharing initiative? Which other organizations will be involved in the data sharing? Are we sharing data along with another controller? What data items are we going to share? What is our lawful basis for sharing? Is there any special category data or sensitive data? What about access…

Questions to ask when sharing data between two data controllers (from the ICO Data Sharing Code of Conduct): What is the sharing meant to achieve? What information do we need to share? Could we achieve the objective without sharing the data or by anonymizing it? What risks does the data sharing pose to individuals? Is it right to share data in this way? What would happen if we did not share the data? Are we…

The UK Information Commissioner’s Office has issued a data sharing code of conduct for public consultation. Key takeaways: When considering sharing data, assess your overall compliance with the data protection legislation. Consider conducting a Data Protection Impact Assessment (DPIA) even if not required. It is good practice to have a data sharing agreement. It sets out the purpose of the data sharing, covers what is to happen to the data at each stage, sets standards…

The European Data Protection Board has issued guidance on the use of video surveillance. Key takeaways: The monitoring purposes of cameras should be documented in writing. Data subjects must be informed of the purpose(s) of the processing: “safety” or “for your safety” is not sufficient The most likely legal bases for video surveillance are: legitimate interest and “necessary in the public interest.” Data subjects’ consent can only serve as a legal basis in exceptional cases.…

“The Federal Trade Commission fined Facebook a record-setting $5 billion on Friday for privacy violations, according to multiple reports. The penalty comes after an investigation that lasted over a year, and marks the largest in the agency’s history by an order of magnitude. If approved by the Justice Department’s civil division, it will also be the first substantive punishment for Facebook in the United States, where the tech industry has gone largely unregulated.” Details from …

The European Data Protection Board has issued an opinion on lead supervisory authority in the event of a change of location of the main establishment of an organization. Highlights: Competence to act as lead supervisory authority can switch to another supervisory authority until a final decision has been reached. Relocation of a main establishment to another European Economic Area Member State mid-procedure: First authority is deprived of its original competence; operations already carried out remain…

The European Data Protection Board’s addressed some interesting issues during its 12th Plenary Session on July 9 and 10: Guidelines on how the GDPR applies to the processing of personal data when using video devices. Opinion on the draft Standard Contractual Clauses (SCCs) for framing the processing by a processor submitted to the Board by the Danish Supervisory Authority (SA). If all recommendations are implemented, the Danish SA will be able to use this draft…