Free tools and resources for Data Protection Officers!

Tag Archives for " GDPR "

EU Commission publishes report on GDPR application issues

The European Commission has published Multistakeholder Expert Group’s report on eperience of application of the General Data Protection Regulation’s (GDPR).

Report highlights the main issues and concerns that organisations face in complying with the GDPR, as well as GDPR’s impact on the exercise of data subjects’ rights.

Read Multistakeholder Expert Group’s report.

ICO admits its own cookie policy is non-compliant with GDPR

The Information Commissioners Office has admitted that its current consent notice relating to the use of cookies on devices failed “to meet the required GDPR standard”.

The issue relates to the automatic placing of cookies on a user’s mobile device when accessing the ICO’s website, which one complaint argued was in breach of the Privacy and Electronic Communications Regulations 2003, which sits alongside GDPR.

Source: ICO admits its own cookie policy is non-compliant with GDPR | IT PRO

Consumer contract law in the age of data

As part of its 2015 Digital Single Market Strategy, the European Commission proposed modernising the rules applicable to sales of goods and introducing similar rules for the supply of digital content (such as digital films, music, e-books, applications) and digital services (such as social media platforms, on-line games, pay-per-view access to films, cloud computing, etc.).

After more than 3 years of negotiations, the EU adopted a package comprising a directive on contracts for the supply of digital content and services and a directive on contracts for the sale of goods, both applicable in B2C relations.

Full article: The EU makes B2C contract law enter the age of data

Austrian Supreme Court Says GDPR Lawsuits Can Be Filed Throughout EU

The Austrian Supreme Court has ruled that complaints concerning the EU General Data Protection Regulation (GDPR) can be brought anywhere in the EU.

The decision overturned a ruling by a lower Austrian court which held that a privacy lawsuit against Facebook had to be brought in Ireland, where the company is headquartered.

Source: Austrian Supreme Court: GDPR Lawsuits Can Be Filed Throughout EU

Swedish DPA digs into Spotify’s responses to SARs

The Swedish data protection authority – Datainspektionen – had initiated a review of Spotify Technology S.A.’s responses to data subject access requests (SARs).

Investigation was initiated following a number of complaints regarding how Spotify manages data subject access requests (SARs). Article 15 of the General Data Protection Regulation (GDPR) provides individuals with right to access their data any company holds about them.

Swedish DPA noted that the information Spotify provided to users in response to a SAR is incomplete and not sufficiently clear. Therefore Datainspektionen asked Spotify to detail how it handles SARs, in particular, what information it provides, what information the copy of personal data includes, and how the information is presented to data subjects.

Source: Datainspektionen granskar rätten till registerutdrag

Hungarian GDPR amendments act enters into force

On 26 April 2019, the Act XXXIV of 2019 on the Legislative Amendments Implementing the European Union Data Protection Reform (‘the Act’) entered into force.

The Act aims to amend national legislation in line with the General Data Protection Regulation (GDPR). Hungary is one of last EU countries to adopt GDPR implementation act.

Access Act here (in Hungarian).

Lithuanian DPA launches investigation into D-Link

In response to publicly available information, the Lithuanian data protection authority – State Data Protection Inspectorate – launched an self-initiated inquiry into the allegedly inappropriate processing of personal data by D-Link.

It is feared that D-Link equipment user passwords, browsing history or other information can be accessed by third countries’ servers through D-Link’s devices, allowing profiling and identification of consumers.

State Data Protection Inspectorate also noted that D-Link’s processing activity potentially amounts to a violation of the General Data Protection Regulation’s (GDPR) transparency principle.

Source: State Data Protection Inspectorate Launches D-Link Research | State Data Protection Inspectorate

France enacts Decree on application of data protection

On 1 June 2019 Decree No. 2019-536 of 29 May 2019 Enacted For the Application of Act No. 78-17 of 6 January 1978 on Data Processing, Files and Individual Liberties came into force.

The Decree clarifies procedural rules of the French data protection authority, including its control and sanctions, and further specifies data subject rights. It also brings Act on Data Processing, Files and Individual Liberties in line with the General Data Protection Regulation (GDPR) and the Data Protection Directive with Respect to Law Enforcement.

Read the Decree here (in French).

Spanish DPA fines soccer league 250K euros

La Liga has been fined 250,000 euros for violating the Spanish Data Protection Agency (AEPD) and the European General Data Protection Regulation (GDPR).

La Liga was using their mobile app to detect the bars that screen football matches without paying by activating the microphone of any user’s mobile so that it can detect sounds that bars emits if a private signal is used. AEPD found that information presented to users was opaque.

Source: Spanish DPA fines soccer league 250K euros