Download free GDPR compliance checklist!

Tag Archives for " data subject rights "

A few practical tips for managing subject access requests

Subject access requests are the bane of many an in-house privacy professional’s life.

It may seem curious that, on the one hand, we take seriously as privacy professionals our responsibility to uphold data subjects rights while, on the other, the exercise of one of the most fundamental of these rights – that of access to data – will typically cause even the most dedicated of privacy professionals to elicit a small whimper.

Full article: A few practical tips for managing subject access requests

Users must receive specific and helpful information in case of a data breach

No generic information may be provided to users in case of a data breach, whilst specific guidance must be made available on how to prevent unlawful use of one’s personal data – in particular identity thefts.

This is the decision issued by the Italian Supervisory Authority (Garante per la protezione dei dati personali) against one of Italy’s leading email service providers following the proceeding initiated after the company had notified the Garante of a data breach.

Source: Italian SA: Users must receive specific, helpful information in case of a data breach

Swedish DPA digs into Spotify’s responses to SARs

The Swedish data protection authority – Datainspektionen – had initiated a review of Spotify Technology S.A.’s responses to data subject access requests (SARs).

Investigation was initiated following a number of complaints regarding how Spotify manages data subject access requests (SARs). Article 15 of the General Data Protection Regulation (GDPR) provides individuals with right to access their data any company holds about them.

Swedish DPA noted that the information Spotify provided to users in response to a SAR is incomplete and not sufficiently clear. Therefore Datainspektionen asked Spotify to detail how it handles SARs, in particular, what information it provides, what information the copy of personal data includes, and how the information is presented to data subjects.

Source: Datainspektionen granskar rätten till registerutdrag

ICO launches the ‘Be Data Aware’ campaign

The UK’s Information Commissioner’s Office (ICO) is launching the ‘Be Data Aware’ campaign to help the general public understand how organisations use their data.

The ‘Be Data Aware’ campaign helps people understand how organisations might be using their data to target them online, as well as informing people on how they can control it.

Source: ICO launches the ‘Be Data Aware’ campaign

Irish DPA Examines Right to Rectification

In light of increased awareness of the rights granted to individuals under the new data protection legislation, Ireland’s data protection authority (DPA) – Data Protection Commission – has published a note to clarify aspects of the right to rectification of personal data.

In particular, it examines the case of recording of names of individuals that contain diacritical marks (for example, fadas in the Irish language).

Read note: Examination of Right to Rectification complaints | 30/04/2019 | Data Protection Commission

First fine imposed by the Polish privacy watchdog

The President of the Personal Data Protection Office (UODO) imposed its first fine for the amount of PLN 943 000 (around €220 000) for the failure to fulfil the information obligation.

The decision of the UODO’s President concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past.

The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. In the opinion of the President of the Personal Data Protection Office, such action was insufficient.

Source: First fine imposed by the President of the Personal Data Protection Office | European Data Protection Board

Facebook Promised A Clear History Tool. Where Is It?

Last May, Facebook promised to create a “Clear History” function it said would give users more control over their data. Nine months later it’s nowhere to be found and sources say it’s a key example of the company’s “reactionary” way of dealing with privacy concerns.

Full article: Former Facebook Employees Say The Company’s Prioritization Of Privacy Is About Optics

GDPR investigation begins after a filmmaker’s name is misspelt

The Irish Data Protection Commission (IDPC) is looking into a potential breach of GDPR standards, after a filmmaker filed an official complaint for the misspelling of his name.

The director at the centre of what may be a landmark case, Ciarán Ó Cofaigh, claims the EU’s new data laws provision individuals with the legal right to have their name correctly spelt.

Source: GDPR investigation begins after a filmmaker’s name is misspelt

GDPR makes it easier to get your data, but doesn’t mean you’ll understand it

“Right of Access” says that, when requested, any company should be prepared to provide you with your personal data.

They should provide it in a way that’s easy for you to read, in a timely manner, and with enough background information for you to understand how they got it and how they use it. The problem is that companies can often be really stingy about actually providing this data.

Full article: GDPR makes it easier to get your data, but doesn’t mean you’ll understand it – The Verge