Download free GDPR compliance checklist!

Tag Archives for " data subject rights "

Research aims to automatically answer user questions on online privacy policies

Internet users may soon have a way to have their questions about online privacy policies answered automatically, thanks to a new multi-institution research project that includes Penn State. The project aims to enable people to ask questions about the privacy issues that matter to them when reviewing privacy policies.

The researchers will create software in the form of mobile applications, web browser plugins and interactive websites by developing and using algorithms in the areas of natural language processing, machine learning, and knowledge representation and reasoning. The interdisciplinary project aims to reinvent notice and choice — the idea that privacy policies are sufficient because users are given notice about how their information will be used and choices about what they can do in regards to the policy, such as opting out of certain features.

Source: Research aims to automatically answer user questions on online privacy policies | Penn State University

UK decision to deny EU citizens access to data challenged in court

The government has been taken to court over its decision to deny European citizens the right to access data the Home Office holds on individuals in immigration cases.

In a high court judicial review, campaigners for EU citizens allege that a clause in the Data Protection Act 2018 unlawfully excludes them from rights they would otherwise hold to access private data held by third parties.

Source: UK decision to deny EU citizens access to data challenged in court | UK news | The Guardian

A few practical tips for managing subject access requests

Subject access requests are the bane of many an in-house privacy professional’s life.

It may seem curious that, on the one hand, we take seriously as privacy professionals our responsibility to uphold data subjects rights while, on the other, the exercise of one of the most fundamental of these rights – that of access to data – will typically cause even the most dedicated of privacy professionals to elicit a small whimper.

Full article: A few practical tips for managing subject access requests

Users must receive specific and helpful information in case of a data breach

No generic information may be provided to users in case of a data breach, whilst specific guidance must be made available on how to prevent unlawful use of one’s personal data – in particular identity thefts.

This is the decision issued by the Italian Supervisory Authority (Garante per la protezione dei dati personali) against one of Italy’s leading email service providers following the proceeding initiated after the company had notified the Garante of a data breach.

Source: Italian SA: Users must receive specific, helpful information in case of a data breach

Swedish DPA digs into Spotify’s responses to SARs

The Swedish data protection authority – Datainspektionen – had initiated a review of Spotify Technology S.A.’s responses to data subject access requests (SARs).

Investigation was initiated following a number of complaints regarding how Spotify manages data subject access requests (SARs). Article 15 of the General Data Protection Regulation (GDPR) provides individuals with right to access their data any company holds about them.

Swedish DPA noted that the information Spotify provided to users in response to a SAR is incomplete and not sufficiently clear. Therefore Datainspektionen asked Spotify to detail how it handles SARs, in particular, what information it provides, what information the copy of personal data includes, and how the information is presented to data subjects.

Source: Datainspektionen granskar rätten till registerutdrag

ICO launches the ‘Be Data Aware’ campaign

The UK’s Information Commissioner’s Office (ICO) is launching the ‘Be Data Aware’ campaign to help the general public understand how organisations use their data.

The ‘Be Data Aware’ campaign helps people understand how organisations might be using their data to target them online, as well as informing people on how they can control it.

Source: ICO launches the ‘Be Data Aware’ campaign

Irish DPA Examines Right to Rectification

In light of increased awareness of the rights granted to individuals under the new data protection legislation, Ireland’s data protection authority (DPA) – Data Protection Commission – has published a note to clarify aspects of the right to rectification of personal data.

In particular, it examines the case of recording of names of individuals that contain diacritical marks (for example, fadas in the Irish language).

Read note: Examination of Right to Rectification complaints | 30/04/2019 | Data Protection Commission

First fine imposed by the Polish privacy watchdog

The President of the Personal Data Protection Office (UODO) imposed its first fine for the amount of PLN 943 000 (around €220 000) for the failure to fulfil the information obligation.

The decision of the UODO’s President concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past.

The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. In the opinion of the President of the Personal Data Protection Office, such action was insufficient.

Source: First fine imposed by the President of the Personal Data Protection Office | European Data Protection Board

Facebook Promised A Clear History Tool. Where Is It?

Last May, Facebook promised to create a “Clear History” function it said would give users more control over their data. Nine months later it’s nowhere to be found and sources say it’s a key example of the company’s “reactionary” way of dealing with privacy concerns.

Full article: Former Facebook Employees Say The Company’s Prioritization Of Privacy Is About Optics

GDPR investigation begins after a filmmaker’s name is misspelt

The Irish Data Protection Commission (IDPC) is looking into a potential breach of GDPR standards, after a filmmaker filed an official complaint for the misspelling of his name.

The director at the centre of what may be a landmark case, Ciarán Ó Cofaigh, claims the EU’s new data laws provision individuals with the legal right to have their name correctly spelt.

Source: GDPR investigation begins after a filmmaker’s name is misspelt