fbpx

Download free GDPR compliance checklist!

Tag Archives for " GDPR "

Inherently identifiable: Is it possible to anonymize health and genetic data?

Nearly 25 million people have taken an at-home DNA testing kit and shared that data with one of four ancestry and health databases.

With this proliferation of genetic testing and biometric data collection, there should be an increased scrutiny of the practices used to deidentify this data. Biometric data, namely genetic information and health records, is innately identifiable.

But can biometric data ever truly be anonymized, what are the methods of deidentification and best practices, and the current state of biometric data under the EU General Data Protection Regulation?

Full article: Inherently identifiable: Is it possible to anonymize health and genetic data?

Tech and mobile companies want to monetise your data … but are scared of GDPR 

The vast majority of technology, media and telecom (TMT) companies want to monetise customer data, but are concerned about regulations such as Europe’s GDPR, according to research from law firm Simmons & Simmons.

It found that 78 per cent of companies have some form of data commercialisation in place but only 20 per cent have an overarching plan for its use.

Survey also revealed that 53 per cent of TMT companies think they need to improve their understanding of data privacy regulation. Meanwhile, just 31 per cent of respondents said they had updated their communication to customers on data collection and use in the last two years – despite a number offering financial incentives and offering a more personalised service to incentivise data sharing.

Source: Tech and mobile companies want to monetise your data … but are scared of GDPR • The Register

German Privacy Regulators Flooded with Google Analytics Complaints

The data protection authorities of the German states are being flooded with complaints, approximately 200,000 in number, regarding deployment of the Google Analytics service on websites in a manner which allegedly is in violation of GDPR.

At issue is whether deploying Google Analytics is possible without acquiring the consent of the end user prior to deploying the Google Analytics cookie on the end user’s device.

Source: German Privacy Regulators Flooded with Google Analytics Complaints

Data for money: App facilitating data portability now under the EDPB’s scrutiny

A number of Italian retailers submitted to the Italian Data Protection Authority, the Garante, very similar complaints concerning massive data subject requests received from Italian startup Weople.

Weople exercised, on behalf of the individuals that subscribed to its services via a mobile app, the right to data portability in connection to the personal data collected by the retailers’ loyalty programs. The transfer of such data was to go directly to Weople.

Full article: Data for money: App facilitating data portability now under the EDPB’s scrutiny

Sweden authorises the use of facial recognition technology by the police

Sweden’s data protection authority has approved the use of facial recognition technology by the police, to help identify criminal suspects.

According to the Swedish authority, the processing and storage measures comply with Sweden’s Crime Data Act and the EU’s Data Protection Law Enforcement Directive (GDPR).

The decision is controversial following successive bans of this technology in US cities. The technology is widely used in China.

Source: Sweden authorises the use of facial recognition technology by the police | New Europe

The Polish supervisory authority imposed first administrative fine on a public entity

The President of the Personal Data Protection Office (“The President of the Office”) imposed first administrative fine of PLN 40,000 on a public entity for failure to comply with the GDPR.

The reason for imposing the fine was that the mayor of the city did not conclude a personal data processing agreement with the entities to which he transferred data.

Apart from the financial penalty, the President of the Office also ordered the controller to take action to remedy the relevant infringements within 60 days

Source: The Polish supervisory authority imposed first administrative fine on a public entity

Criminal proceedings against Österreichische Post

The Austrian data protection authority imposed an administrative fine of 18 million euros on Österreichische Post AG (Austian Postal Service) after conducting administrative fine proceedings.

Austrian DPA concluded taht Österreichische Post had violated the GDPR by processing personal data on the alleged political affinity of affected data subjects. In addition, another GDPR violation was the further processing of data on package frequency and the frequency of relocations for the purpose of direct marketing.

However, the penalty is not final, as it can be challenged before the Federal Administrative Court within four weeks after the delivery of the penalty notice.

Source: Criminal proceedings of the Austrian data protection authority against Österreichische Post AG (Austrian Postal Service) | European Data Protection Board

Where does the GDPR fine money go?

On 8 July 2019, the UK’s ICO issued British Airways with a £183 million penalty for violations and just one day later levied a £99 million fine against hotel chain Marriott. Google was hit with a €50 million fine by French authorities, and at least 70 enforcement actions have been taken in total across the EU little more than a year after the new regulations came into force.

But the destination of this money, which has the potential to exceed billions in the next few years, has been the subject of uncertainty. The relatively untested one-stop-shop principle, too, may lead to tensions brewing as data protection authorities wrestle over claims for jurisdiction with regards to mammoth investigations

Full article: GDPR: Where does the fine money go? | IT PRO

EDPB Issues Final Guidelines on ‘Necessary for the Performance of a Contract’ Legal Basis

The European Data Protection Board has issued issued final guidelines on the “necessary for the performance of a contract” legal basis for processing data under the General Data Protection Regulation (GDPR).

To use this legal basis, you need to show:

  • The processing is carried out in the context of a valid contract with the individual.
  • The purpose for the processing in question is clearly specified and communicated to the relevant individual, in line with the company’s purpose limitation and transparency obligations (even if not in the body of the contract).
  • The processing needs to be objectively necessary to achieve this particular purpose.
  • There are no realistic, less intrusive processing alternatives.

Source: EDPB Issues Final Guidelines on ‘Necessary for the Performance of a Contract’ Legal Basis

Ireland publishes note on data breach trends

Ireland’s Data Protection Commission has published information note on data breach trends from the first year of the General Data Protection Regulation (GDPR).

The total number of breach notifications received by the DPC during that time amounted to 5,818. Of all breach notifications received by the DPC, approximately 4% have been classified a ‘non-breaches’ and did not meet the definition of a personal data breach.

a total of 13% failed to satisfy the requirement of notification to the DPC ‘without undue delay’ (normally within 72 hours), as required under the provisions of GDPR.

Source: Data Breach Trends from the First Year of the GDPR

1 2 3 119
>