fbpx

Free tools and resources for Data Protection Officers!

Tag Archives for " compliance "

FTC Takes Action Against Companies Misrepresenting Compliance with the EU-U.S. Privacy Shield 

The Federal Trade Commission announced that it has taken action against a number of companies that allegedly misrepresented their compliance with the EU-U.S., as well as Swiss-U.S. Privacy Shield frameworks and other international privacy agreements.

FTC and SecurTest, Inc. reached a settlement agreement over allegations that SecurTest falsely claimed to participate in the Privacy Shield. The FTC also reported that it sent warning letters to 13 companies for claiming to participate in the U.S.-EU and U.S.-Swiss Safe Harbor frameworks and to two companies for falsely claiming to participate in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system.

Source: FTC Takes Action Against Companies Misrepresenting Compliance with the EU-U.S. Privacy Shield and Other International Privacy Agreements

ICO admits its own cookie policy is non-compliant with GDPR

The Information Commissioners Office has admitted that its current consent notice relating to the use of cookies on devices failed “to meet the required GDPR standard”.

The issue relates to the automatic placing of cookies on a user’s mobile device when accessing the ICO’s website, which one complaint argued was in breach of the Privacy and Electronic Communications Regulations 2003, which sits alongside GDPR.

Source: ICO admits its own cookie policy is non-compliant with GDPR | IT PRO

Swedish DPA digs into Spotify’s responses to SARs

The Swedish data protection authority – Datainspektionen – had initiated a review of Spotify Technology S.A.’s responses to data subject access requests (SARs).

Investigation was initiated following a number of complaints regarding how Spotify manages data subject access requests (SARs). Article 15 of the General Data Protection Regulation (GDPR) provides individuals with right to access their data any company holds about them.

Swedish DPA noted that the information Spotify provided to users in response to a SAR is incomplete and not sufficiently clear. Therefore Datainspektionen asked Spotify to detail how it handles SARs, in particular, what information it provides, what information the copy of personal data includes, and how the information is presented to data subjects.

Source: Datainspektionen granskar rätten till registerutdrag

Lithuanian DPA launches investigation into D-Link

In response to publicly available information, the Lithuanian data protection authority – State Data Protection Inspectorate – launched an self-initiated inquiry into the allegedly inappropriate processing of personal data by D-Link.

It is feared that D-Link equipment user passwords, browsing history or other information can be accessed by third countries’ servers through D-Link’s devices, allowing profiling and identification of consumers.

State Data Protection Inspectorate also noted that D-Link’s processing activity potentially amounts to a violation of the General Data Protection Regulation’s (GDPR) transparency principle.

Source: State Data Protection Inspectorate Launches D-Link Research | State Data Protection Inspectorate

Fingerprint case highlights importance of biometric policies and consent

An unfair dismissal case has highlighted the need for companies to update policies and procedures and to obtain full consent before using biometric data in the workplace.

The Fair Work Commission in Australia found that Superior Wood employee’s dismissal for refusing to use a fingerprint scanner was unfair because the company did not have a privacy policy in place; it didn’t obtain consent before collecting sensitive information, and it failed to issue a privacy collection notice.

Full article: Fingerprint case highlights importance of biometric policies and consent

CNIL Fines French Real Estate Service Provider for Data Security and Retention Failures

On June 6, 2019, the French Data Protection Authority (the “CNIL”) announced that it levied a fine of €400,000 on SERGIC, a French real estate service provider, for failure to (1) implement appropriate security measures and (2) define data retention periods for the personal data of unsuccessful rental candidates.

Source: CNIL Fines French Real Estate Service Provider for Data Security and Retention Failures

Spanish DPA fines soccer league 250K euros

La Liga has been fined 250,000 euros for violating the Spanish Data Protection Agency (AEPD) and the European General Data Protection Regulation (GDPR).

La Liga was using their mobile app to detect the bars that screen football matches without paying by activating the microphone of any user’s mobile so that it can detect sounds that bars emits if a private signal is used. AEPD found that information presented to users was opaque.

Source: Spanish DPA fines soccer league 250K euros

One Year Into GDPR, Most Apps Still Harvest Data Without Permission

Unauthorized data harvesting from mobile apps has continued nearly unabated in the year since Europe’s General Data Protection Regulation came into force last May.

In a recent test conducted for AdExchanger, mobile analytics company Kochava examined the behavior of the top 2,700 apps in the Google Play store in the United States compared with France, where GDPR applies.

Source: One Year Into GDPR, Most Apps Still Harvest Data Without Permission | AdExchanger

Google faces privacy complaints in European countries

Google’s privacy woes are set to increase after campaigners on Tuesday filed complaints to data protection regulators in France, Germany and seven other EU countries over the way it deals with data in online advertising.

At issue is real-time bidding, a server-to-server buying process which uses automated software to match millions of ad requests each second from online publishers with real-time bids from advertisers.

Source: Google faces privacy complaints in European countries – Reuters

1 2 3 50
>