fbpx

EU to check for GDPR violations in Microsoft’s contracts with EU institutions

The European Data Protection Supervisor (EDPS), the European Union’s data protection watchdog, has started an investigation into Microsoft’s contracts with EU institutions.

The investigation will focus on the contracts EU institutions have signed with Microsoft and if clauses in these contracts comply with the EU’s new data protection regulation -also known as the General Data Protection Rules (GDPR).

Source: EU to check for GDPR violations in Microsoft’s contracts with EU institutions | ZDNet

Finland Approves Act On The Secondary Use Of Social And Health Care Personal Data

The Finnish Parliament has approved the new general Act on the Secondary Use of Social Welfare and Health Care Data in March 2019.

The new Act codifies the relevant legislation and broadens the possibilities to, under certain conditions, utilize and combine for secondary purposes personal data collected in relation to public or private social and health care operations.

Source: Finland: Parliament Approves New Act On The Secondary Use Of Social And Health Care Personal Data

EU Commission Issues Recommendation on Cybersecurity in the Energy Sector

The European Commission has published a Recommendation on cybersecurity in the energy sector.

The Recommendation builds on recent EU legislation in this area, including the NIS Directive and EU Cybersecurity Act (see our posts here and here ). It sets out guidance to achieve a higher level of cybersecurity taking into account specific characteristics of the energy sector, including the use of legacy technology and interdependent systems across borders.

Source: EU Commission Issues Recommendation on Cybersecurity in the Energy Sector

Franch DPA Issues Standard Regulation For Biometric Systems In The Workplace

CNIL has adopted on 10 January 2019, further to a sectorial consultation with public bodies and private organisations, its first standard regulation that lays down legally binding rules applicable to data controllers subject to French Law, who use biometric systems to control access to premises, devices and applications at work.

The Regulation prescribes specific requirements for the processing, by a public or private employer, of biometric data to control accesses to work premises, to information systems or applications used in the context of business tasks entrusted to data subjects (i.e., employees, agents, interns and contractors).

Given the particular sensitivity of biometric data, the Regulation sets out stringent obligations to data controllers regarding the conditions of processing of such biometric data in the workplace.

Full article: France: The First Cnil Standard Regulation For Biometric Systems In The Workplace

Association of German Supervisory Authorities issues paper on broad consent for research

On April 3, 2019, the Association of German Supervisory Authorities (“Datenschutzkonferenz” or “DSK”) issued a paper  on the interpretation of “broad consent” for scientific research in Recital 33 of the GDPR and the interplay with the definition of consent and the principle of purpose limitation.

According to the DSK, broad consent should only be used in exceptional circumstances when it is not possible to establish at the outset the expected scope of the research. Moreover, the DSK suggests that a broad consent can be fixed at a later stage of the research by narrowing down the scope of the research once that scope is clearer – i.e., deliberately not using the obtained flexibility.

Ful article: Association of German Supervisory Authorities issues paper on broad consent for research

European Commission Releases Study on GDPR Data Protection Certification Mechanisms

European Commission has published a final report “Data Protection Certification Mechanisms: Study on Articles 42 and 43 of the Regulation
(EU) 2016/679”.

The overall aim of the study is to support the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Articles 42 and 43 GDPR.

More specific the purpose of the assignment is to: i) accompany the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Art. 42 and 43 GDPR and ii) collect all relevant information for the Commission in view of the possible implementation of Art. 43(8) GDPR on the requirements for the data protection certification mechanisms and of Article 43(9) GDPR on the technical standards for certification mechanisms and data protection seals and marks, and for mechanisms to promote and recognise those certification mechanisms, seals and marks.

Read report: Data Protection Certification Mechanisms: Study on Articles 42 and 43 of the Regulation (EU) 2016/679

Department of Justice Releases White Paper on CLOUD Act

On Wednesday, the U.S. Department of Justice released a white paper and FAQ on the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, which was enacted in March 2018 and creates a new framework for government access to data held by technology companies worldwide.

The paper, titled “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act,” addresses the scope and purpose of the CLOUD Act and responds to 29 frequently asked questions about the Act.

Source: Department of Justice Releases White Paper on CLOUD Act

Bounty UK fined £400,000 for sharing personal data unlawfully

The Information Commissioner’s Office (ICO) has fined Bounty (UK) Limited £400,000 for illegally sharing personal information belonging to more than 14 million people.

An ICO investigation found that Bounty, a pregnancy and parenting club, collected personal information for the purpose of membership registration through its website and mobile app, merchandise pack claim cards and directly from new mothers at hospital bedsides.

Source: Bounty UK fined £400,000 for sharing personal data unlawfully

GDPR: 10 Months down the road

The European Data Protection Board (the “EDPB”) recently published an overview on GDPR’s implementation since its enforcement last May, and the roles of national supervisory authorities in this regard.

As of today, almost all Member States have implemented and enforced the GDPR in their national laws. The only remaining exceptions are Czech Republic, Greece, Slovenia and Portugal.

Priavcy Pervest have summarised and examined some of the items we consider key to the success of GDPR.

Full article: GDPR: 10 Months down the road | PrivacyPerfect blog

The Pitfalls of Personalisation

Hyper-personalisation is often considered the ‘holy grail’ of consumer experiences. It’s convenient, it’s targeted and in an ideal world it’s exactly what the consumer needs. But three quarters of consumers find at least some personalised marketing “somewhat creepy”.

On both sides of the Atlantic, attitudes towards data, privacy and personalisation are shifting. In the US, 57% of consumers say they’re now more concerned about data and privacy than they were a year ago. And 68% would like to see the US adopt a strict data-privacy law, similar to Europe’s General Data Protection Regulation (GDPR). In Europe itself, research by the Open Data Institute found that as little as 2% of consumers trust advertisers with their personal data.

Full article: The Pitfalls of Personalisation

>