PrivacyOn Walters-02

PrivacyON și Wolters Kluwer România colaborează pentru creșterea expertizei GDPR

Începând din Septembrie, o nouă resursă de expertiză în domeniul protecției datelor personale va fi disponibilă în România, ca rezultat al colaborării dintre PrivacyON și Wolters Kluwer. Cunoscuta aplicație legislativă Sintact.ro va pune la dispoziție o componentă de întrebări și răspunsuri pe tema aplicării GDPR și a temelor conexe.

PrivacyOn Walters-02

În acest modul Q&A, abonații Sintact.ro vor avea la dispoziție un set inițial de 50 de răspunsuri detaliate, pentru varii probleme practice și vor avea posibilitatea de a trimite întrebări care vor fi analizate de echipa PrivacyON.

Obiectivul proiectului este de a crea o resursă de expertiză în continuă creștere, pe tema aplicării legislației privind protecția datelor personale. Elementul inovator este atenția acordată nevoilor și preocupărilor practice, din activitatea de zi-cu-zi, așa cum acestea sunt formulate de organizații.

„Ne-a bucurat invitația Wolters Kluwer de a colabora pentru acest proiect, pentru că vedem o reală utilitate practică în acest demers. Ne dorim să ajutăm responsabilii cu protecția datelor sau funcțiile similare din companii să clarifice modul în care trebuie aplicat GDPR în organizațiile lor și să depășească dificultățile unui domeniu relativ nou și atât de puțin explorat în România.”

Roxana Guiman, partener

„Ca avocați în domeniul protecției datelor personale, acordăm atenție activității clienților și încercăm să vedem lucrurile din perspectiva lor. Conformarea GDPR nu poate fi aplicată în vid. Tocmai de aceea sunt încrezătoare că dezvoltăm împreună cu Wolters Kluwer un instrument ideal pentru a explora dilemele concrete ale organizațiilor și de a veni în întâmpinarea lor într-un mod cât mai realist.” 

Dana Ududec, partener

În modulul GDPR puteți găsi explicații pentru întrebări frecvente din practică, precum:

  • Este necesară semnarea de către angajați a notei de informare despre prelucrarea datelor personale?
  • Când este obligatorie efectuarea unei analize de impact asupra protecției datelor personale (Data Protection Impact Assessment – DPIA)?
  • Care sunt situațiile de conflicte de interese pentru exercitarea funcției de DPO?
  • În ce situații nu este obligatorie informarea despre prelucrarea datelor personale?
  • Este necesar consimțământul debitorului pentru transmiterea datelor sale personale, de către creditor, către o entitate care recuperează creanțe?

.

Pentru mai multe detalii legate de accesarea modulului de întrebări GDPR, vă invităm să contactați Wolters Kluwer România.

PrivacyON Innovx_partnership

PrivacyON s-a alăturat echipei de mentori InnovX, în obiectivul de a susține start-up-urile românești

Din primăvara acestui an, PrivacyON a început o colaborare cu InnovX, prin care oferim companiilor înscrise în programele de accelerare cursuri și sesiuni de mentorat 1-la-1, pe teme ce țin de proprietate intelectuală și protecția datelor personale.

PrivacyON Innovx_partnership

InnovX este un accelerator structurat într-un mod, credem noi, unic în România, care selectează companii în diferite stadii de dezvoltare (grinders, start-ups, scale-ups) și, în cadrul unui program foarte intens de învățare, pe durata a câteva luni, aceste proiecte trec printr-un real proces de creștere. La finalul programului, companiile știu mult mai clar ce pași au de urmat, au strategii bine definite și un set de cunoștințe care le vor ajuta să își atingă mult mai ușor obiectivele.

Prin cursurile și sesiunile noastre de mentorat dorim să împărtășim din expertiza noastră și să ajutăm companiile care încă sunt la început de drum să înțeleagă care sunt nevoile și vulnerabilitățile lor în legătură cu prelucrarea de date personale sau cu protejarea drepturilor de proprietate intelectuală. Fiind domenii în care realmente este mult mai ușor să previi decât să repari, încercăm să sprijinim start-up-urile să își structureze proiectele astfel încât să aibă în vedere încă de la început și aceste aspecte. Nu e tot timpul ușor, mai ales pentru că resursele limitate la startul proiectului și focusul pe aspectele operaționale lasă puțin loc pentru griji ce țin de GDPR sau drepturi de autor. Tocmai de aceea, ne bucurăm să putem ajuta prin implicarea noastră în cadrul proiectului InnovX.

În plus, expunerea la proiectele din cadrul acceleratorului este și pentru noi o bună ocazie de a învăța și de a ne păstra la curent cu ce se întâmplă nou în lumea tehnologiei, mai ales că echipa InnoxV face o treabă foarte bună în a selecta în accelerator proiecte realmente interesante și inovative.  

În caz că participarea la un astfel de program de accelerare este de interes pentru voi, tocmai încep selecțiile pentru o nouă grupă de scale-ups în cadrul InnovX, cu termen pe 2 octombrie. Puteți găsi detalii aici.

Cookie walls si swipe-scroll

Cookie walls și swipe/scroll – noi orientări EDPB referitoare la consimțământ ca temei de prelucrare a datelor personale

În data de 4 mai 2020, Comitetul European pentru Protecția Datelor („EDPB”) a adoptat „Orientările 05/2020 cu privire la consimțământ în temeiul Regulamentului 2016/679 (versiunea 1.1)” („Orientările 05/2020”), prin care actualizează opiniile emise anterior pe aceeași temă de către Grupul de Lucru „Articolul 29” („GL Art. 29”).

Cookie walls si swipe-scroll

Intenția EDPB este ca noul document de referință pentru temeiul legal al consimțământului să îl înlocuiască pe cel precedent, fără a afecta însă alte orientări punctuale pe tema consimțământului prezente în documentele GL Art. 29.

Deși conținutul orientărilor anterioare rămâne în mare parte identic (cu modificări formale, cum ar fi cele legate de înlocuirea GL Art. 29), EDPB a folosit această ocazie pentru a aduce o serie de noi clarificări legate de interpretarea prevederilor aplicabile consimțământului pentru prelucrarea datelor cu caracter personal conform GDPR.

Noutățile aduse de EDPB se referă la următoarele două tematici principale:

(a) Condiționarea accesului la conținutul unui website de acceptarea plasării cookies

Utilizarea de „cookie walls”, ca mecanism pentru a stimula consimțământul utilizatorilor a fost intens dezbătută. Principalele contraargumente au fost legate de caracterul inechitabil al alegerii prezentate utilizatorilor, lipsa de control asupra informației sau lipsa unei alegeri reale (mai ales în situații de monopol asupra unui anumit tip de informație, care ajunge să fie inaccesibilă).

EDPB a tranșat problema valabilității consimțământului influențat prin „cookie walls”, plasând acest mecanism în lista exemplelor de încălcare a caracterului liber al consimțământului pentru prelucrarea datelor cu caracter personal.

(b) Deducerea consimțământului din diferite acțiuni ale utilizatorilor pe un website (scroll/swipe)

O altă practică des întâlnită este informarea utilizatorilor care accesează un website despre faptul că o acțiune a lor de tipul scroll sau swipe va fi asimilată acordului pentru plasarea de cookies sau tehnologii similare. În acest caz, nu sunt întrunite condițiile de valabilitate a consimțământului referitoare la claritate, la lipsa de echivoc a acțiunii  și la lipsa de ambiguitate. În al doilea rând, mecanismul va face practic dificilă respectarea art. 7(3) din GDPR, care stabilește dreptul de retragere a consimțământului și creează o simetrie cu simplitatea modalității de transmitere a acordului pentru prelucrarea datelor personale.

Aceste noutăți sunt discutate pe larg în articolul GDPR: Noi orientări privind valabilitatea consimțământului în cazul „cookie walls” și al acțiunilor swipe/scroll în cadrul unui website, scris de către Dana Ududec, partener PrivacyON și publicat în numărul 2/2020 al Revistei Române de Drept al Afacerilor.

GDPR issues for Body temperature readingsBody temperature readings

Body temperature readings

Some organizations are taking into consideration installing temperature scanners or other means of verifying the body temperature of staff and visitors, in their effort to protect the workplace against the spread of COVID-19.

This is a sensitive topic which needs careful analysis by each company, especially with regard to the effectiveness of the devices used for this purpose, setting up records of such data, who has access to the data and what are the consequences for the data subjects – to name just a few issues.

GDPR issues for Body temperature readingsBody temperature readings

 

Below is a short outline of certain guidance and opinions from European Data Protection Authorities on the topic of reading body temperature, to help organizations decide on the lawfulness of such a measure in their case.

Belgium

The updated guidance from the Belgian Data Protection Authority (APD) specifically refers to measuring the body temperature of workers and visitors. According to the APD, the mere measurement, without recording the data, does not constitute per se processing of personal data. However, the guidance does not discuss the case when organizations might actually register a high temperature during such checks, and take certain measures. For example, if the thermal scanner placed at the entrance of a factory reads a temperature above the set threshold and the worker is isolated from the rest of the staff.

Spain

In its FAQs, the Spanish authority (AEPD) refers to national prevention of occupation risks legislation which obliges employers to verify if the health status of workers represents a danger – however, it indicates that such verification must be carried out by medical staff. The AEPD states that in any case, the processing of health data obtained from temperature measurements must be limited to the purpose of combating the spread of COVID-19 and respect all other GDPR principles.

France

The French authority (CNIL) strongly advises organizations against „mandatory readings of the body temperatures of each employee / agent / visitor to be sent daily to their hierarchy”. From the wording o the guidance, it seems that checking symptoms might be allowed if done in a confidential manner – for example, by the occupational doctor or a member of the staff who must observe the secrecy of the data.

Romania

The Romanian authority (ANSPDCP) is silent on this matter and instead indicates the general GDPR legal exemptions for processing health data. This means that data controllers must make their own (documented) assessments and decide

EDPB

The initial statement of the European Data Protection Board does not cover this specific topic. However, the EU body has recently announced that it is speeding up the publication of more detailed guidance.

Collecting health data through questionnaires

Collecting health data through questionnaires

The issue of implementing questionnaires which gather health data and other information about the existence of risk factors, to both employees, collaborators and visitors, does not have a unified approach by the European Data Protection Authorities.

Collecting health data through questionnaires

While some authorities expressly prohibit such methods of systematic and general data collection, others allow organizations to make their own assessment and to decide whether imposing on staff and visitors to fill in questionnaires or to sign statements about risk factors (including symptoms) is necessary and proportional.

EDPB

The EDPB, in its Statement on the processing of personal data in the context of the COVID-19outbreak, adopts an open perspective, expressing the following view:

“Can an employer require visitors or employees to provide specific health information in the context of COVID-19?

The application of the principle of proportionality and data minimisation is particularly relevant here. The employer should only require health information to the extent that national law allows it.”

Ireland

The Irish DPC has analyzed this issue in great detail. The PDC says that “employers would be justified in asking employees and visitors to inform them if they have visited an affected area and/or are experiencing symptoms”, considering the legal obligations to ensure workplace safety. However, if organizations wish to implement these checks through the means of questionnaires, the Irish authority indicates the following:

“Implementation of more stringent requirements, such as a questionnaire, would have to have a strong justification based on necessity and proportionality and on an assessment of risk. This should take into consideration specific organisational factors such as the travel activities of staff attached to their duties, the presence of vulnerable persons in the workplace, and any directions or guidance of the public health authorities.”

In addition, considering health and safety duties, employers would also be justified to ask employees to inform them if they have a medical diagnosis of COVID-19.

Hungary

NAIH has a permissive approach to using risk factor questionnaires, with some caveats. Employers must, first of all, decide if this method is necessary and proportionate and ensure that questionnaires do not include questions relating to medical history or requirements to attach medical documents.

France, Belgium and Luxembourg

In this case, the authorities are more conservative. The CNIL states that “employers must refrain from collecting in a systematic and generalized manner, or through individual inquiries and requests, information relating to the search for possible symptoms presented by an employee / agent and their relatives”. CNIL prohibits to implement the collection of medical sheets or questionnaires from all employees / agents.

The Belgian APD prohibits the application of medical questionnaires, stating:

“The employer cannot compel workers to complete such questionnaires. It is recommended to encourage workers to spontaneously report risky travel or symptoms. In this case too, the role of the occupational physician must be emphasized.”

In Luxembourg, the authority also included questionnaires on the “What not to do” list. Employers should not require employees to fill in medical forms or questionnaires and should not require visitors to provide standardized statements about the absence of symptoms and travels to risk areas.

Romania

The Romanian authority (ANSPDCP) is silent on this specific matter and indicates certain possible legal grounds and exemptions which allow processing of health data.

What to consider

In any case, the collection of health data must be legal under the GDPR, which means that it must be allowed under an Art. 9(2) exemption -> read more on this topic.

If an organization decides to implement questionnaires and statements (provided that their national DPA did not explicitly prohibit it), this should be done with the observance of the data protection legal framework, including he essential GDPR principles – fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality and, of course, accountability.

Disclosing COVID-19 diagnosis

Disclosing COVID-19 diagnosis

Companies explore whether they can disclose that someone has been diagnosed with COVID-19, in their efforts to protect staff and the general public. This article describes recent opinions published by EU Data Protection Authorities on the issue.

Disclosing COVID-19 diagnosis

Statement of the European Data Protection Board

The EDPB, in its Statement on the processing of personal data in the context of the COVID-19outbreak, specifically tackles the question of disclosing that an employee has been diagnosed:

“Can an employer disclose that an employee is infected withCOVID-19 to his colleagues or to externals?

Employers should inform staff about COVID-19 cases and take protective measures, but should not communicate more information than necessary. In cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context)and the national law allows it,the concerned employees shall be informed in advance and their dignity and integrity shall be protected.”

What are the EU national DPAs saying?

The Irish DPC does not institute a general prohibition, but states that “any communications to staff about the possible presence of Coronavirus in the workplace should not generally identify any individual employees” and that the “identity of affected individuals should not be disclosed to any third parties or to their colleagues without a clear justification“. Moreover, the authority’s FAQ section provides a concrete example:

“Can an employer disclose that an employee has the virus to their colleagues?

This should be avoided, in the interests of maintaining the confidentiality of the employee’s personal data. For example, an employer would be justified in informing staff that there has been a case, or suspected case, of COVID-19 in the organization and requesting them to work from home. This communication should not name the affected individual.

Disclosure of this information may be required by the public health authorities in order to carry out their functions.”

Italy’s Garante only mentions that, in the context of specific and detailed legislation passed at the national level:

“Where an employee performing duties that entail contact with the public (e.g. at a front office, at a service desk) encounters a suspected Coronavirus case in the course of their work, that employee will ensure that the competent health services are informed – including through the employer – and will follow the preventive instructions provided by the healthcare professionals consulted.”

The Hungarian Data Protection Authority (NAIH) indicated that organizations should inform employees that they must report any suspected contact with the virus, and that such information can be recorded by the employer. Specifically, the NAIH mentioned that the Police are authorised to use CCTV footage to investigate those who do not observe the legislation for preventing the spread of COVID-19.

Belgium’s APD takes a restrictive stand and states that:

“Under the principle of confidentiality (Article 5.1, f) of the GDPR) and the principle of data minimization (Article 5.1, c) of the GDPR), an employer cannot reveal the names of the persons concerned. The employer can only inform other workers of the situation without mentioning the identity of the person (s) concerned.”

The Danish DPA indicated that, within the framework of data protection law, an employer can, to a large extent, disclose non-specific information (even health information) when the necessity of the situation would thus require, for example: that an employee has returned from a so-called “risk area”; that an employee is in the home quarantine (without stating the reason); that an employee is ill (without stating the reason). The authority recognised that in some situations (e.g. to allow management and colleagues to take precautions) it might become necessary to disclose that an employee has been diagnosed with the Coronavirus. Even if information is disclosed, it should be factual and kept to the minimum necessary (including by avoiding to name the person infected).

The DPA from Luxembourg does not institute a strict prohibition, but it does state that “The identity of the data subjects can therefore not be disclosed to third parties or the data subjects’ colleagues without clear justification.

The UK’s ICO expressly answered that an organization can tell their staff that a colleague may have potentially contracted COVID-19, but they should assess whether they can name individuals and should not provide more information than necessary.

Lastly, neither DPA sees any impediment to report cases to health authorities or other public bodies who have legal competences to manage the epidemic.

Romanian DPA’s point of view

The Romanian DPA issued a press statement about the legal conditions of processing data in the current health crisis. The authority expressly stated the following:

“As regards the disclosure in the public sphere of the name and health status of a physical person, we underline that the processing (the disclosure) of such data can only be done based on the consent of the concerned person.”

The specific point of view is welcome – however it does raise questions about the theoretical applicability of other exemptions allowed by Art. 9(2) of the GDPR. Moreover, this opinion should not prejudice journalistic activities which fall under the journalistic exemption provided by the Romanian GDPR Application Law (no. 190/2018), as long as these activities observe human rights privacy standards and ethical guidelines.

Legal basis for processing health data

Legal basis for processing health data

Because health data represents a special category of data, the GDPR allows processing only in exceptional situations indicated in Art. 9(2).

In the context of measures aimed at containing the spread of COVID-19, organizations are asking which is the correct basis (the exemption) which would allow them to collect data about the health situation of employees. This article sums up certain opinions published by Data Protection Authorities from the EU on this issue.

Legal basis for processing health data

Processing necessary for complying with employment law

GDPR Art. 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

Several EU authorities have validated Art. 9(2)(b) as a basis for employers who need to process health information about their employees and people who visit their premises, as long as there are obligations in employment and occupational safety laws which apply to organisations. See, for example, the opinions from Ireland, Spain and Hungary.

For instance, national employment or occupational safety law might provide that the employer has obligations to protect employees from  health risks. Some laws also indicate the obligations of employees to report any health risk factors identified at the workplace and to protect their colleagues (for example, to report immediately if they believe that certain COVID-19 risk factors apply to them).

Even if this provision is invoked for processing health data for managing COVID-19 risks at the workplace, the processing activities must be accompanied by the implementation of all other GDPR principles – fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and, of course, accountability.

Depending on the case, there might be other Art. 9(2) exemptions applicable.

GDPR Art. 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

This basis applies, for example, when an occupational health physician would ascertain the conditions of the employees. However, it is important to point out that relying on this exemption to process health data must be accompanied by suitable safeguards applied to the data processing – e.g. security, restricted access, strict retention periods, staff training.

GDPR Art. 9(2)(c) – processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

GDPR Art. 9(2)(g) – processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

GDPR Art. 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

The Irish DPC indicated that Art. 9(2)(i) might be applicable where organisations are acting on the guidance or directions of public health authorities, or other relevant authorities. The EDPB, in its Statement on the processing of personal data in the context of the COVID-19outbreak, validates the possibility to rely on art. 9(2)(c) and 9(2)(i).

Although some might be quick to rely on the provision in letter (c), please note that the exemption only applies when the data subject is physically or legally incapable of giving consent.

Could explicit consent be relied on?

GDPR Art. 9(2)(a) – the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

Although, theoretically, obtaining the explicit consent of the data subject allows the processing of health data, remember that in the context of employment consent is rarely an appropriate basis for data processing.

Data Protection Newsletter – no.22020 February

Data Protection Newsletter – no.2/2020 February

This month in data protection news: ● See guidance from EU data protection authorities on how to process personal data in the context of COVID-19 ● Read about recent GDPR sanctions, including in the filed of telecoms ● Find out the recent guidelines from data protection authorities ● More GDPR news and further readings.

January2020

Data Protection News: January 2020

CPDP 2020 Highlights

Each January marks the Computers, Privacy and Data Protection Conference (CPDP), an international event gathering the most important stakeholders in the field. This year, the main theme of the event was Artificial Intelligence, with its multi-faceted approaches: banning or regulation, risks and possible mitigation measures, privacy threat or privacy enhancer, a silver lining for humanity or the sign of imminent destruction. With such a hot topic, the 5-stage event was filled with AI supporters, skeptics and fence-sitters.

But it was not all about AI – some panels discussed subjects such as consumer protection in the context of social media and online trackers, privacy concerns in the application of PSD2, adtech, data security, the one stop shop mechanism, children’s privacy and many others (see the full schedule here). Luckily for those who could not make it or discover the science of being in 5 places at the same time, the CPDP recorded the panels and made them all available online.

These are our favorites among the panels we attended:

The Future is Now: Autonomous Vehicles, Trolley Problem(s) and How to Deal with Them
The trolley problem is obsolete – right now the autonomous vehicles industry is facing important questions about regulation and access to divers’ data. Andreea Lisievici (Volvo Cars) saliently points out the main concerns of manufacturers.

The One-Stop-Shop: Twenty Months On
Max Schrems talked about the many hurdles of the GDPR one stop shop mechanism and cooperation amongst data supervisors. If a decision is made by a supervisor in a different Member State than the one where the data subject is located, this has the potential of becoming a procedural nightmare when it comes to making appeals.

Is ethical adtech possible? Navigating GDPR enforcement challenges in real-time bidding complaints
Ster, the agency handling advertising for the public broadcasting system in the Netherlands presented an innovative way of displaying contextual advertising without needing to place cookies or other trackers to profile the audience. The ads are shown depending on the content of the page rather than the profile of the viewer.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

We’re also engaging with the privacy professionals community through our LinkedIn company page, so please follow us if you want live updates on relevant privacy issues in Romania.
data protection highlights 2020
CPDP 2020 highlights

Brexit & GDPR

The UK has left the EU on 31 January and entered into a transition period which will last until the end of December 2020. Naturally, remaining EU entities are concerned about the legal regime of cross-border data processing in this new scenario.

The ICO has issued a statement on data protection and Brexit, indicating that until the end of the transition period, it will be “business as usual for data protection” with regard to entities in the UK. However, fingers are crossed for an adequacy decision from the European Commission, although there are no official signs yet pointing in this direction.

In the absence of a future adequacy decision, transfers to the UK will be treated as third country personal data transfers and will have to comply with the restrictions in Chapter V of the GDPR.

Extra resources: check out this free webinar by 2040 Training on Brexit and the future of the GDPR application.

EDBP: CCTV guidelines

The UK has left the EU on 31 January and entered into a transition period which will last until the end of December 2020. Naturally, remaining EU entities are concerned about the legal regime of cross-border data processing in this new scenario.

The ICO has issued a statement on data protection and Brexit, indicating that until the end of the transition period, it will be “business as usual for data protection” with regard to entities in the UK. However, fingers are crossed for an adequacy decision from the European Commission, although there are no official signs yet pointing in this direction.

In the absence of a future adequacy decision, transfers to the UK will be treated as third country personal data transfers and will have to comply with the restrictions in Chapter V of the GDPR.

Extra resources: check out this free webinar by 2040 Training on Brexit and the future of the GDPR application.

AI Resources

🎓 Norwegian Ministry of Local Government and Modernisation: The National Strategy for Artificial Intelligence.
🎓 European Commission, Joint Research Centre: Robustness and Explainability of Artificial Intelligence. From technical to policy solutions (direct download link).
🎓 Read the European Commission Intellectual Property and Artificial Intelligence – A literature review.
🎓 The ICO warns – police force needs to slow down the implementation of live facial recognition and justify its use.
🎓 Medium: Black-Boxed Politics: Opacity is a Choice in AI Systems.
🎓 The New York Times: The Secretive Company That Might End Privacy as We Know It – an investigation about Clearview AI, the face recognition app.
🎓 ZDNet: What is AI? Everything you need to know about Artificial Intelligence.

Cookies & Adtech

🍪 The CNIL publishes updated draft guidelines on cookies.
🍪 The Finnish Transport and Communication Agency published guidance on the use of cookies.
🍪 ICO Blog: Adtech and the data protection debate – where next?
🍪 German Data Protection Authorities (DSK) discuss, among other, wide inspections of media websites that use online tracking tools.
🍪 The Norwegian Consumer Council (Forbrukerrådet) publishes an extensive report on the violation of consumer rights by the online advertising industry.
🍪 The Belgian DPA litigation chamber decides on a case concerning the use of cookies (see here a summary in English).
🍪 Forbrukerrådet: New study: The advertising industry is systematically breaking the law.
🍪 Karolina Iwańska: 10 Reasons Why Online Advertising is Broken.

Guidelines & reports

✒️ North Rhine-Westphalia DPA answers FAQ on the DPO (read here an article in English). The DPA provides examples of conflict of interest and rejects the possibility that a legal person might be a DPO.
✒️ Irish DPC blog: Data Protection on the Campaign Trail.
✒️ The ICO launches consultation on draft direct marketing code of practice.
✒️ Saxony DPA considers that the “remember me” default setting for websites and apps violates the GDPR privacy by design and by default principle (see here an article in English).
✒️ The Council adopted its position and findings on the application of the General Data Protection Regulation (GDPR) (direct download).
✒️ The CNIL finds it excessive to use CCTV in schools for systematic and continuous surveillance.
✒️ Finnish DPA publishes FAQ section in English.
✒️ EDPB issues Opinion 5/2020 on the draft decision of the Luxembourg National Data Protection Commission regarding the approval of the requirements for accreditation of a certification body.
✒️ The EDPB responds to MEP Sophie in’t Veld’s letter on unfair algorithms.
✒️ ENISA publishes report on the main supervision changes brought by the European Electronic Communications Code.
✒️ German Federal Commissioner for Data Protection and Freedom of Information (BfDI) provides views on encryption as recommended security measure (article in English).
✒️ ENISA publishes an online tool for evaluating the level of risk for a personal data processing operation.
✒️ The ICO issues guidelines on standards for internet services intended for children – read here a summary by Fieldfisher.
✒️ The Irish DPA comments on whether data protection law can apply to opinions.
✒️ The European Banking Authority (EBA) issues report on key challenges in the roll out of Big Data and Advanced Analytics.
✒️ The Draft for a Code of Conduct on the use of GDPR compliant pseudonymisation, initiated by the German Ministry of Internal Affairs, is available in English.
✒️ Data Protection Authority for the State of Saarland (Germany) examined the use of WhatsApp by public institutions in their communications with citizens (read here an article in English).
✒️ The Data Protection Authority (DPA) of Saxony considers that the deployment of a penetration testing requires the conclusion of a data protection agreement with the third party contractor (read here an article in English).
✒️ ICO guidance: What is NIS?

Case-law & legislation

⚖ New EU rules for protecting consumers enter into force. Read more about the EU’s New Deal for Consumers.
⚖ Fieldfisher publishes a table with processing activities which trigger the obligation to conduct a DPIA, based on national “DPIA blacklists” (direct download here).
⚖ The ECtHR decided in Breyer v. Germany on the legal obligation on service providers to store personal data of users of pre-paid mobile-telephone SIM-cards and make them available to authorities upon request (legal summary available here).
⚖ The CJEU Advocate General Campos Sánchez-Bordona delivered the Opinion in case C‑78/18 (European Commission v Hungary) concerning the national law which required transparency for donations from abroad made to certain NGOs. The AG finds the measure “unjustified and disproportionate interference with the rights of those who make donations to respect for their privacy and to the protection of their personal data”.
Geo-blocking sanctions in e-commerce are finally provided in Romanian legislation.
⚖ The interaction between PSD2 and GDPR is analyzed in this article by Dilja Helgadottir.
⚖ The Saxon State Labour Court in Germany ruled on the dismissal of a DPO (see here an article in English).
⚖ The Wertheim Local Court in Germany imposed a penalty on a company for failing to comply with a personal data access request (see here an article in English).
⚖ Berlin Court rules that Facebook’s privacy settings and part of its terms and conditions violate consumer protection legislation. The violations refer to the use of photos for commercial purposes, default geolocation in the chat function and profile visibility for search engines.
⚖ Also, in Italy, Facebook is threatened with a fine of 5M Euros by the national competition authority. The concern is the continued lack of transparency regarding the use of personal data by the social network.
⚖ The European Court of Human Rights hears case against Hungary on the topic of freedom of expression, in the context of a political party’s mobile app which allowed voters to photograph, upload and comment on invalid votes cast during a 2016 referendum (read here the press release).
⚖ German court rules on illegal use of an employee’s photo on Facebook, after the employment relationship ended (red here an article in English).

GDPR enforcement actions

🔥 A pharmacy in London was fined for careless storage of patient data. The pharmacy left thousands of documents in unlocked containers at the back of its premises.
🔥 The Hungarian DPA has fined an organization for the unlawful search in the archived e-mail account of a former employee (see here an article in English).
🔥 The ICO continues its oversight of real time bidding (RTB) in adtech, as important actors have pledged to resolve issues raised by the authority.
🔥 The Austrian DPA found a violation of GDPR in the case of a dating website which did not use an e-mail double opt-in mechanism (article in English).
🔥 The Italian DPA fined Eni gas e luce with 11.5 M Euros for unsolicited telemarketing and activating contracts without request.
🔥 H&M risks fine in Germany for recording sensitive data of employees and storing it in such ways that all the managers had access.
🔥 The Italian DPA calls for an EU task force to tackle the privacy risks posed by the TikTok social network.
🔥 The Cypriot DPA banned the use of a human resources automated tool which scored the types of sick leaves and profiled employees based on this criteria.

More data protection news

💬 Bird&Bird launches useful online resource for GDPR and HR.
💬 The Privacy Icons Forum was launched, which is “a collaboration of institutions that focus on the development, design and implementation of data privacy and data protection icons.
💬 A supermarket chain is being targeted by the Belgian DPA in connection to the use of biometric payments.
💬 The Norwegian Consumer Council (Forbrukerrådet) is filing formal complaints against Grindr and five companies that were receiving personal data through the app.
💬 Read this post by Greet Gysen: Getting data subject rights right.
💬 Trans Atlantic Consumer Dialogue: Privacy in the EU and US: Consumer experiences across three global platforms.

 

Recommended articles

📰 Future of Privacy Forum publishes its selected award winning papers: “Antidiscriminatory Privacy” and “Algorithmic Impact Assessments under the GDPR”.
📰 Reuters: Strip searches and ads: 10 tech and privacy hot spots for 2020.
📰 Revision/Legal: Data Breach Litigation: Theories of Damages in Data Breach Cases.
📰 Bird&Bird: What exactly is a Digital Service Provider in the context of NIS Directive?
📰 The Washington Post: How we survive the surveillance apocalypse.
📰 Paolo Balboni: Joint Controllership: A collection of recent guidance.
📰 The Guardian: Fresh Cambridge Analytica leak ‘shows global manipulation is out of control’.
📰 Lydia F de la Torre on Medium: Right to delete under CCPA.
📰 Privacy International: Cloud extraction technology: the secret tech that lets government agencies collect masses of data from your apps.
📰 European Law Blog: International data transfers, standard contractual clauses, and the Privacy Shield: the AG Opinion in Schrems II.
📰 Jones Day: Global Privacy & Cybersecurity Update.
📰 HARVARD Kennedy School: Technology Factsheet: Internet of Things.
📰 BBC: Ring doorbell ‘gives Facebook and Google user data’.
📰 According to ZDNet, a class action has been brought in the US against Clearview, the firm that scrapes social media for person’s photos.
📰 Research quoted by ZDNet shows that a large number of Android apps contain self-contradictory language in their privacy policies in regards to data collection practices. Part of the problem is using auto-generating privacy policy templates available on the internet.
📰 Cornell University: Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence.This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Our newsletters are available for information purposes only and cannot be relied on as legal advice.

Recrutare

Căutăm avocați pasionați de privacy

Suntem în căutarea unui avocat pasionat de protecția datelor personale, care să se alăture echipei PrivacyOne.

PrivacyOne (GUIMAN UDUDEC SCA) este o societate de avocați specializată în consultanță juridică în domeniul protecției datelor personale și al proprietății intelectuale. Suntem o echipă în plină dezvoltare și foarte activă în zona serviciilor de GDPR compliance și ne dorim alături de noi oameni pasionați, care vor să aprofundeze aspectele teoretice și practice ale legislației privind protecția datelor personale.

Ești persoana potrivită pentru acest rol dacă:

  • Ești avocat și ai fost implicat/ă în proiecte de GDPR compliance
  • Îți place inițiativa și responsabilitatea, nu ești genul care să fie tras mereu de mânecă
  • Îți place să redactezi (inclusiv în limba engleză), să acorzi atenție detaliilor, iar expresia „lasă că merge și așa” îți dă fiori
  • Ești dispus/ă să înveți, să gândești creativ și nu renunți până nu găsești răspunsurile

Noi îți oferim:

  • Training și instruire constantă, împreună cu oportunități de a participa la cursuri și conferințe de specialitate
  • Ocazia de a acumula experiență foarte variată în proiecte de compliance GDPR, inclusiv de a administra proiecte și de a-ți lărgi competențele în afara sferei juridice
  • Un sistem de remunerare în care efortul și dedicarea ta să conteze

Dacă te-am convins, te invităm să ne scrii la adresa cariere[@]privacyone.ro, trimițând CV-ul tău și o scrisoare de intenție prin care să ne spui de ce crezi că ești persoana potrivită să ni se alăture.

Mai multe detalii, inclusiv cu privire la modul în care îți vom prelucra datele personale, poți găsi pe site-ul nostru la secțiunea www.privacyone.ro/cariere.