Free tools and resources for Data Protection Officers!

Tag Archives for " compliance "

ICO admits its own cookie policy is non-compliant with GDPR

The Information Commissioners Office has admitted that its current consent notice relating to the use of cookies on devices failed “to meet the required GDPR standard”.

The issue relates to the automatic placing of cookies on a user’s mobile device when accessing the ICO’s website, which one complaint argued was in breach of the Privacy and Electronic Communications Regulations 2003, which sits alongside GDPR.

Source: ICO admits its own cookie policy is non-compliant with GDPR | IT PRO

Swedish DPA digs into Spotify’s responses to SARs

The Swedish data protection authority – Datainspektionen – had initiated a review of Spotify Technology S.A.’s responses to data subject access requests (SARs).

Investigation was initiated following a number of complaints regarding how Spotify manages data subject access requests (SARs). Article 15 of the General Data Protection Regulation (GDPR) provides individuals with right to access their data any company holds about them.

Swedish DPA noted that the information Spotify provided to users in response to a SAR is incomplete and not sufficiently clear. Therefore Datainspektionen asked Spotify to detail how it handles SARs, in particular, what information it provides, what information the copy of personal data includes, and how the information is presented to data subjects.

Source: Datainspektionen granskar rätten till registerutdrag

Lithuanian DPA launches investigation into D-Link

In response to publicly available information, the Lithuanian data protection authority – State Data Protection Inspectorate – launched an self-initiated inquiry into the allegedly inappropriate processing of personal data by D-Link.

It is feared that D-Link equipment user passwords, browsing history or other information can be accessed by third countries’ servers through D-Link’s devices, allowing profiling and identification of consumers.

State Data Protection Inspectorate also noted that D-Link’s processing activity potentially amounts to a violation of the General Data Protection Regulation’s (GDPR) transparency principle.

Source: State Data Protection Inspectorate Launches D-Link Research | State Data Protection Inspectorate

Fingerprint case highlights importance of biometric policies and consent

An unfair dismissal case has highlighted the need for companies to update policies and procedures and to obtain full consent before using biometric data in the workplace.

The Fair Work Commission in Australia found that Superior Wood employee’s dismissal for refusing to use a fingerprint scanner was unfair because the company did not have a privacy policy in place; it didn’t obtain consent before collecting sensitive information, and it failed to issue a privacy collection notice.

Full article: Fingerprint case highlights importance of biometric policies and consent

CNIL Fines French Real Estate Service Provider for Data Security and Retention Failures

On June 6, 2019, the French Data Protection Authority (the “CNIL”) announced that it levied a fine of €400,000 on SERGIC, a French real estate service provider, for failure to (1) implement appropriate security measures and (2) define data retention periods for the personal data of unsuccessful rental candidates.

Source: CNIL Fines French Real Estate Service Provider for Data Security and Retention Failures

Spanish DPA fines soccer league 250K euros

La Liga has been fined 250,000 euros for violating the Spanish Data Protection Agency (AEPD) and the European General Data Protection Regulation (GDPR).

La Liga was using their mobile app to detect the bars that screen football matches without paying by activating the microphone of any user’s mobile so that it can detect sounds that bars emits if a private signal is used. AEPD found that information presented to users was opaque.

Source: Spanish DPA fines soccer league 250K euros

One Year Into GDPR, Most Apps Still Harvest Data Without Permission

Unauthorized data harvesting from mobile apps has continued nearly unabated in the year since Europe’s General Data Protection Regulation came into force last May.

In a recent test conducted for AdExchanger, mobile analytics company Kochava examined the behavior of the top 2,700 apps in the Google Play store in the United States compared with France, where GDPR applies.

Source: One Year Into GDPR, Most Apps Still Harvest Data Without Permission | AdExchanger

Google faces privacy complaints in European countries

Google’s privacy woes are set to increase after campaigners on Tuesday filed complaints to data protection regulators in France, Germany and seven other EU countries over the way it deals with data in online advertising.

At issue is real-time bidding, a server-to-server buying process which uses automated software to match millions of ad requests each second from online publishers with real-time bids from advertisers.

Source: Google faces privacy complaints in European countries – Reuters

EDPS flags data protection issues on EU institutions’ websites

An inspection carried out by the European Data Protection Supervisor (EDPS) on the websites of major EU institutions and bodies revealed data protection and data security issues in seven out of the ten websites inspected.

The inspection revealed that several of the websites were not compliant with the Regulation or with the ePrivacy Directive and did not follow the EDPS Guidelines on web services. One of the issues encountered was third-party tracking without prior consent. This is especially problematic in cases where the third-party concerned operates under a business model based on the profiling and subsequent behavioural targeting of website visitors. Other issues encountered included the use of trackers for web analytics without visitors’ prior consent and the submission of personal data collected through web forms using non-encrypted connections.

Each of the institutions concerned has received recommendations from the EDPS on how to ensure their websites are fully compliant with data protection rules and the relevant institutions have reacted swiftly to start rectifying the problems identified.

Source: EDPS press release