Free tools and resources for Data Protection Officers!

Tag Archives for " data subject rights "

Research reveals six common CX failures when handling GDPR information requests

A recent study conducted by Macro 4 reveals problems in the way companies are handling data subject access requests – an important consumer right enshrined in the GDPR – which threaten to damage consumer trust.

Macro 4’s study evaluated how effectively DSARs are being handled by a sample of 37 UK enterprises, including large financial services companies, utility companies and telecommunications providers. The research uncovered six ways in which companies are failing to meet the requirements of the GDPR and are delivering a level of service that is well below expectations.

Full article: Research reveals six common CX failures when handling GDPR information requests | CustomerThink

CJEU to answer questions about Right to be delisted

French court the Conseil d’Etat has requested the European Court of Justice for a preliminary ruling on a series of questions concerning the implementation of the right to be delisted from search results.

The right to be delisted is not absolute. Insofar as the removal of links from the list of results displayed following a search made on the basis of a person’s name may have consequences on the legitimate interest of internet users to receive access to information, the European Court of Justice proceeds to strike a balance between such interest and the person’s fundamental rights, in particular the right to private life and to the protection of personal data.

Source: Right to be delisted

DSAR test reveals huge data breach potential

A phoney data subject access request (DSAR) made by a woman’s partner to companies in the UK and the US prompted a return of personal data from 25% of the firms contacted.

The security specialist making the request leveraged the terms of the GDPR to make his claim. He got in touch with dozens of companies on both sides of the Atlantic, stating in each case that he wanted information held on his fiancée. One of the data returns held his fiancée’s criminal record check.

Source: DSAR test reveals huge data breach potential

German court decides on the scope of GDPR right of access

The Supervisory Authority of Hesse region stated that the term “copy” in Art 15 GDPR should not be understood literally but rather in the sense of a “summary”.

This interpretation appears to conflict with an earlier decision of the Labor Appeals Court of Stuttgart which ordered an employer to provide actual copies of all information held by the company.

More recently, the Appeal Court of Cologne held that the customer of an insurance company is entitled to access all personal data pertaining to him and processed by the company, including any internal notes regarding conversations between company employees and the customer.

Source: German court decides on the scope of GDPR right of access

Right to delete is coming to Australia

Shadow Assistant Treasurer Stephen Jones said his party secured a “breakthrough commitment” from the government that would see the Consumer Data Right (CDR) gain the ability have consumer information deleted.

This new legislation will give Australian consumers an “off switch” when it comes to data sharing. Off switch would mean that a consumer will have the power to determine when a company should no longer hold their data.

Source: Labor thinks the right to delete is coming for Australia’s CDR after winter break | ZDNet

Italian DPA Issues Judgment Concerning ‘Right to be Forgotten’

On July 22, 2019, the Italian supervisory authority for data protection (Garante) issued a judgment involving the so-called “right to be forgotten”.

The Garante held that, in accordance with Article 21 of the GDPR, the data subject has the right to object to the processing of personal data on the grounds of his or her particular situation.

On that basis, Google is required to stop the processing of the personal data unless it can demonstrate compelling legitimate grounds.

Furthermore, the Garante made clear that the principles of data protection apply to any information concerning an identified or identifiable natural person. Thus “right to be forgotten” applies to any searches, not exclusively to searches by individual’s name.

Source: Italian Supervisory Authority Issues Judgment Concerning ‘Right to be Forgotten’

Research aims to automatically answer user questions on online privacy policies

Internet users may soon have a way to have their questions about online privacy policies answered automatically, thanks to a new multi-institution research project that includes Penn State. The project aims to enable people to ask questions about the privacy issues that matter to them when reviewing privacy policies.

The researchers will create software in the form of mobile applications, web browser plugins and interactive websites by developing and using algorithms in the areas of natural language processing, machine learning, and knowledge representation and reasoning. The interdisciplinary project aims to reinvent notice and choice — the idea that privacy policies are sufficient because users are given notice about how their information will be used and choices about what they can do in regards to the policy, such as opting out of certain features.

Source: Research aims to automatically answer user questions on online privacy policies | Penn State University

UK decision to deny EU citizens access to data challenged in court

The government has been taken to court over its decision to deny European citizens the right to access data the Home Office holds on individuals in immigration cases.

In a high court judicial review, campaigners for EU citizens allege that a clause in the Data Protection Act 2018 unlawfully excludes them from rights they would otherwise hold to access private data held by third parties.

Source: UK decision to deny EU citizens access to data challenged in court | UK news | The Guardian

A few practical tips for managing subject access requests

Subject access requests are the bane of many an in-house privacy professional’s life.

It may seem curious that, on the one hand, we take seriously as privacy professionals our responsibility to uphold data subjects rights while, on the other, the exercise of one of the most fundamental of these rights – that of access to data – will typically cause even the most dedicated of privacy professionals to elicit a small whimper.

Full article: A few practical tips for managing subject access requests

Users must receive specific and helpful information in case of a data breach

No generic information may be provided to users in case of a data breach, whilst specific guidance must be made available on how to prevent unlawful use of one’s personal data – in particular identity thefts.

This is the decision issued by the Italian Supervisory Authority (Garante per la protezione dei dati personali) against one of Italy’s leading email service providers following the proceeding initiated after the company had notified the Garante of a data breach.

Source: Italian SA: Users must receive specific, helpful information in case of a data breach

1 2 3 8