Latest Articles

The French Data protection authority, CNIL, has issued a “Developer Kit” setting forth best practices for data protection. Key takeaways: Before using a development tool, especially for personal data, read the conditions of use. If the data requires a maximum level of confidentiality, use tools with a local instance, rather than the cloud. Conduct a data protection impact assessment (DPIA) at the outset, even if not required by GDPR. Start from a simple, correctly designed…
The Lithuanian data protection inspectorate issued a 61,500 EUR fine against a payment services provider for violations of the data minimization, adequate security measures and data breach reporting requirements of GDPR. Key takeaways: Data minimization: Collect only the information you need. If you only need name, identification code, bank account number, currency, balance, purpose of payment/payment code,  then collect just that. It is not necessary to also collect: date of unreported electronic invoicing, names and…
“C’est tres complique aujourd’hui de se declarer 100% conforme” “In reality, it’s very complicated to declare in total and perfect conformity [with GDPR], be it today, in five or ten years, because it’s a continuous process. A company never really achieves 100% compliance, it works on it every day. It seeks to have compliance champions, such as compliance officers or DPOs, and gives them autonomy” says French privacy attorney Adrian Aulas. “Today, there is a…
The California Consumer Privacy Act (CCPA), a broad-based law protecting information that identifies California residents, was passed in June 2018 and will take effect in 2020. Dubbed “GDPR Lite,” to denote its similarities to the EU General Data Protection Regulation (GDPR), it is expected to be a game-changer for U.S.-based companies that process sensitive data. With detailed disclosure requirements, a grant of extensive rights to individuals to control how their personal information is used, statutory…
“German regional data protection authorities have imposed fines in 75 cases totaling EUR 449,000 for breaches of the European General Data Protection Regulation (GDPR), since it came into effect in May 2018,” Welt Am Sonntag reports. “While fines have been low, it is important to note that regulators have other tools in their ‘belt of remedies’, including prohibiting further processing of personal data until an issue has been rectified. This may have a greater impact…
“While there are undoubtedly significant benefits in using new technologies, organisations need to be aware of the potential challenges when choosing and using any systems involving biometric data,”  writes Steve Wood, Deputy Commissioner for Policy at the UK Information Commissioner’s Office. “Any organisations planning on using new and innovative technologies that involve personal data, including biometric data, need to think about these key points: Under the GDPR, controllers are required to complete a DPIA where…
“We’ve removed [all of the trash cans] because of the GDPR law.” GDPR does NOT prohibit the use of trash cans — the Irish Data Protection Commission tells Irish postal services provider. Irish postal service provider, An Post, removed all trash cans from the main hall of a central post office building, after an internal audit identified them as a potential risk of breaching GDPR. The Irish DPC said that “under no circumstances could public…
“The right to be forgotten does not apply in principle to medical records. However, as a patient, you may ask your health care provider to remove data from your medical record,” according to the Dutch Data Protection Authority, Autoriteit Persoonsgegevens (AG), which has issued a guidance on GDPR and medical records. Key takeaways: For medical data that are not covered by the Medical Treatment Agreement Act, such as nursing care and in-home care, personal data…
“The right to be forgotten does not apply in principle to medical records. However, as a patient, you may ask your health care provider to remove data from your medical record,”  according to the Dutch Data Protection Authority, Autoriteit Persoonsgegevens (AG), which issued a guidance on GDPR and medical records. Key takeaways: For medical data that are not covered by the Medical Treatment Agreement Act, such as nursing care and in-home care, personal data should…
The UK Information Commissioner’s Office (ICO) is strategically focusing on the “fairness” requirement under the GDPR – says U.K. Information Commissioner Elizabeth Denham. The focus is unfair, invisible processing. This includes big tech, data brokers, credit reference agencies and adtech, specifically looking at transparency and fairness, as well as the legal basis for consent. Regarding Brexit, she said that if there is a hard Brexit and the ICO becomes a third country, companies who commit…