Free tools and resources for Data Protection Officers!

Tag Archives for " compliance "

Google accused of GDPR privacy violations by seven countries

Consumer groups across seven European countries have filed GDPR complaints against Google’s location tracking (via Reuters). The European Consumer Organisation (BEUC), of which each of the groups are a member, claims that Google’s “deceptive practices” around location tracking don’t give users a real choice about whether to enable it, and that Google doesn’t properly inform them about what this tracking entails. If upheld, the complaints could mean a hefty fine for the search giant.

Full article: Google accused of GDPR privacy violations by seven countries – The Verge

LinkedIn violated data protection by using 18M email addresses of non-members to buy targeted ads on Facebook

LinkedIn has been called out a number of times for how it is able to suggest uncanny connections to you, when it’s not even clear how or why LinkedIn would know enough to make those suggestions in the first place.

Ireland’s Data Protection Commissioner had conducted — and concluded — an investigation of Microsoft-owned LinkedIn, originally prompted by a complaint from a user in 2017, over LinkedIn’s practices regarding people who were not members of the social network.

Full article: LinkedIn violated data protection by using 18M email addresses of non-members to buy targeted ads on Facebook | TechCrunch

You probably have more personal data, in more systems, than you think.

There’s lots of guides on the internet to consent and so-forth, but relatively few that dive into hands-on implementation details. Often, legal teams possess a strong understanding of regulatory requirements and the goals of company operations, but they don’t share the same knowledge of systems and data movements implemented across marketing and sales.

Full article: You probably have more personal data, in more systems, than you think.

Christmas spirit triumphs over GDPR in Germany

A German town managed to revive a children’s Christmas tradition after European data protection laws very nearly scrapped it.

In previous years up to 4,000 wishes to Father Christmas were placed on a tree at a Christmas market in the southern town of Roth and the city council would then attempt to fulfill those wishes, which included the names and addresses of the children who wrote them.

But the popular activity had to stop in 2016 because of Germany’s data privacy legislation and GDPR, as legislation requires parents of minors have to provide consent to the use of their kids’ data.

Local radio station Antenne Bayern found a solution by creating a wish list, which included a parental consent disclaimer, which can be printed from their website and put in the wishing box at the Christmas market.

Source: Christmas spirit triumphs over GDPR in German town of Roth – CNN

Irish watchdog clarifies record keeping and DPIAs interaction under GDPR

Ireland’s data protection authority has clarified how record keeping obligations under the General Data Protection Authority (GDPR) interact with the duties of businesses to carry out data protection impact assessments (DPIAs).

Full article: GDPR: Irish watchdog clarifies record keeping and DPIAs interaction

How a small French privacy ruling could remake adtech for good

A ruling in late October against a little-known French adtech firm that popped up on the national data watchdog’s website earlier this month is causing ripples of excitement to run through privacy watchers in Europe who believe it signals the beginning of the end for creepy online ads.

CNIL’s decision suggests that bundling consent to partner processing in a contract is not, in and of itself, valid consent under the European Union’s General Data Protection Regulation (GDPR) framework.

Full article: How a small French privacy ruling could remake adtech for good | TechCrunch

First German data protection authority issues GDPR fine

The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) was the first German data protection authority to impose a fine under the GDPR. The fine of € 20,000 sanctions the violation by a social media company of its obligation to ensure data security of processing of personal data pursuant to Art. 32 (1) (a) GDPR (obligation to pseudonymise and encrypt personal data).

Full article: Germany: First data protection authority issues GDPR fine

Cathay Pacific case shows data breach reporting challenges

Multinational companies experiencing a major data breach face significant challenges in co-ordinating co-operation with investigating authorities around the world.

The scale of the challenge was highlighted recently when the chief executive of airline Cathay Pacific, Rupert Hogg, revealed that the company had provided details of a data breach the business first disclosed last month to 27 different authorities spanning 15 jurisdictions.

The case is an example of how the discovery of data breaches can trigger a duty to notify those breaches to not only data protection authorities and impacted customers, but financial regulators and financial markets too.

Full article: Cathay Pacific case shows data breach reporting challenges

UK ICO Issues Warning to Washington Post Over Cookie Consent Practices

UK Information Commissioner’s Office (“ICO”) issued a warning to the U.S.-based The Washington Post over its approach to obtaining consent for cookies to access the service. The Washington Post presents readers with option of free access to a limited number of articles dependent on consent to the use of cookies and tracking for the delivery of personalized ads. To avoid a third party ad tracking (and advertising), a higher fee premium subscription should be choosed.

ICO concluded that since The Washington Post has not offered a free alternative to accepting cookies, consent cannot be freely given and the newspaper is in contravention of Article 7(4) of the EU General Data Protection Regulation (“GDPR”).

Source: UK ICO Issues Warning to Washington Post Over Cookie Consent Practices

Dutch government report says Microsoft telemetry breaks GDPR

The telemetry data collection mechanism used by Microsoft Office breaks the EU General Data Protection Regulation (GDPR), Dutch authorities said in a report. Investigators said they’ve identified the “large scale and covert collection of personal data” through Office’s built-in telemetry collection capabilities, which is done without properly informing users.

Full article: Dutch government report says Microsoft Office telemetry collection breaks GDPR | ZDNet

>