fbpx

Download free GDPR compliance checklist!

Tag Archives for " EDPS "

EU institution staff ‘unaware’ of Microsoft data misuse

Members of staff working across the EU institutions are “not aware” of the extent to which the US tech firm Microsoft collects and stores their data as part of the use of their products and services, the EU’s data protection watchdog has told.

The issue centres around the concern that the contractual terms under agreements for the provision of Microsoft products and services to the EU institutions could be in breach of EU data protection law.

Source: EU institution staff ‘unaware’ of Microsoft data misuse, EU data chief says – EURACTIV.com

Spanish Supervisory Authority and EDPS release guidance on hashing for data pseudonymization and anonymization purposes

On November 4, 2019, the Spanish Supervisory Authority (“AEPD”), in collaboration with the European Data Protection Supervisor, published guidance on the use of hashing techniques for pseudonymization and anonymization purposes. In particular, the guidance analyses what factors increase the probability of re-identifying hashed messages.

The guidance provides examples of how controllers can make the re-identification of hashed messages more difficult. These examples include encrypting the message (prior to hashing), encrypting the hash value, or adding “salt” or “noise” (i.e., a random number) to the original message.

Source: Spanish Supervisory Authority and EDPS release guidance on hashing for data pseudonymization and anonymization purposes

EU contracts with Microsoft raising ‘serious’ data concerns

Europe’s chief data protection watchdog has raised concerns over contractual arrangements between Microsoft and the European Union institutions which are making use of its software products and services.

The European Data Protection Supervisor (EDPS) opened an enquiry into the contractual arrangements between EU institutions and the tech giant this April, following changes to rules governing EU outsourcing.

Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services.

Source: EU contracts with Microsoft raising ‘serious’ data concerns, says watchdog | TechCrunch

EDPS publishes opinion on communication data as personal data

The European Data Protection Supervisor (EDPS) published, on 11 September 2019, the pleading notes before the Court of Justice of the European Union (CJEU) in the joint hearing for case C-623/17 Privacy International, joint cases C-511/18 and C-512/18 La Quadrature du Net and Others, and case C-520/18 Ordre des Barreaux Francophones et Germanophone and Others.

Notes address question whether the IP addresses or other data relating to electronic communications are capable of providing information on the content of communications, what information concerning the private lives of the concerned persons can be obtained from IP addresses or other data relating to electronic communications, as well as whether, and to what extent, it would be possible to limit the retention and the access to electronic communication data while enabling the objectives set out in Article 15(1) of the ePrivacy Directive.

Source: Pleading notes of the European Data Protection Supervisor (EDPS)

EDPS issues note on data transfers following Brexit

On 16 July 2019, the European Data Protection Supervisor (EDPS) issued an information note on international data transfers after Brexit. 

The Note highlights that if the EU and the UK sign the withdrawal agreement before 1 November 2019, the data flows to the UK will not be immediately affected.  EU data protection laws (including the GDPR, the Law Enforcement Directive (EU)2016/680 and the ePrivacy Directive) will apply until 31 December 2020, with a maximum extension until 31 December 2022. 

However, in the case of a “no-deal” Brexit, EU data protection laws would not apply in the UK and starting from 1 November 2019 personal data transfers from EU institutions to companies in the UK must comply with the international data transfer requirements under Chapter V of GDPR.

Read the Note.

European Data Protection Board Issues Opinion on U.S. CLOUD Act

On July 10, 2019, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint assessment of the impact of the U.S. Clarifying Overseas Use of Data Act (CLOUD Act) on the legal framework for the protection of personal data in the EU.

The institutions note that the extraterritorial effect of the CLOUD Act could result in service providers being “susceptible to facing a conflict of laws between US law and the GDPR and other applicable EU or national law of the Member States.”

Source: European Data Protection Board Issues Opinion on U.S. CLOUD Act

EDPB and the EDPS consider the European Commission to be a processor of patient data in the eHealth Digital Service Infrastructure

On July 12, 2019, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion on the processing of patient data and the role of the European Commission within the eHealth Digital Service Infrastructure (eHDSI).

The eHDSI system was established in the context of the eHealth Network and allows for the exchange of electronic health data of patients between Member States. Opinion confirms that Member States act as “joint controllers” and the European Commission acts as a processor in processing of patient data within the eHDSI .

Full article: The European Data Protection Board and the European Data Protection Supervisor consider the European Commission to be a processor of patient data in the eHealth Digital Service Infrastructure

EDPS flags data protection issues on EU institutions’ websites

An inspection carried out by the European Data Protection Supervisor (EDPS) on the websites of major EU institutions and bodies revealed data protection and data security issues in seven out of the ten websites inspected.

The inspection revealed that several of the websites were not compliant with the Regulation or with the ePrivacy Directive and did not follow the EDPS Guidelines on web services. One of the issues encountered was third-party tracking without prior consent. This is especially problematic in cases where the third-party concerned operates under a business model based on the profiling and subsequent behavioural targeting of website visitors. Other issues encountered included the use of trackers for web analytics without visitors’ prior consent and the submission of personal data collected through web forms using non-encrypted connections.

Each of the institutions concerned has received recommendations from the EDPS on how to ensure their websites are fully compliant with data protection rules and the relevant institutions have reacted swiftly to start rectifying the problems identified.

Source: EDPS press release

EDPS: We need to talk about terms and conditions

Terms of service are generally designed to safeguard a service provider against legal challenges.

These terms are not like a memorandum of understanding, trade agreement or a contract established jointly by two more or less equal parties. Rather, they are laid down by the service provider and not open to negotiation. In the EU there are rules protecting the consumer against unfair terms.

Full article: We need to talk about terms and conditions | European Data Protection Supervisor

Even ticking a box does not necessarily mean consent is freely given

Digiday spoke to Giovanni Buttarelli, European data protection supervisor, to hear whether media and advertising businesses have done enough to comply. He believes Google and Facebook must work harder to achieve compliance.

Full article: Giovanni Buttarelli on state of GDPR adoption: ‘Even ticking a box does not necessarily mean consent is freely given’ – Digiday

1 2 3 4
>