The end of December is usually a time for recollection, for looking back on the accomplishments and challenges of the year almost ending and setting the vision for the following revolution around the Sun. So, we’ve compiled a small list of documents offering an overview of data protection themes in the past year, to help you immerse in this reflective mood. Enjoy!
In 2019 we’ve been very busy gathering news about data protection and sending monthly newsletters to all you privacy enthusiasts out there. This December we looked back at all the useful guidelines published by the Data Protection Authorities from EU Member States that made it to our newsletters and we gathered them all under the mistletoe.
So sit back, pour yourself a cup of hot chocolate and skim through all this data protection knowledge:
📒 Guide for prior consultation following DPIA.
📒 DPIA List (original document in French / article in English).
📒 New guidance about posting photos online (article in English).
📒 Updated cookie guidelines, in the aftermath of the Planet49 decision.
📒 DPIA whitelist.
📒 Cookie guidance.
📒 Kit for developers, including guidance on using libraries and third party SDKs.
📒 Draft standards on the processing of personal data for core HR activities.
📒 Binding regulation on the use of biometric data for the purpose of controlling workplace access to premises, devices and computers.
📒 Guide on interface design and choices (French only).
📒 Bavarian Data Protection Authority answers FAQ on connected vehicles (see here an article in English).
📒 Data Protection Authority of Brandenburg comments on the transfer of group employee data to a third country (article in English).
📒 Bavarian DPA published a new FAQ regarding the requirements for WebFonts, Maps, GoogleAnalytics, Facebook Custom Audience (read here an article in English).
📒 Guidelines on data transfers in asset deals.
📒 Audit checklist for GDPR readiness.
📒 Sample joint controllers agreement.
📒 Conference of Independent Federal and State Data Protection Authorities in Germany (DSK) issued a position paper on data protection requirements regarding the operation of Facebook pages. See here the paper in German and here an article in English.
📒 DSK also published Guidance and FAQ on cookies.
📒 DSK issued guidance on the applicability of the German Telemedia Act, which includes the topic of cookies post-GDPR and a paper on consent for scientific research.
📒 Guidance on data processing in the employment context (available only in German here; see article in English here).
📒 Hungarian DPA: Key GDPR cases.
📒 General Portable Storage Device Recommendations
📒 Guidance for Organisations on Phishing and Social Engineering Attacks.
📒 Guide to Data Protection Impact Assessments for any processing that is ‘likely to result in a high risk to individuals’, including some specified types of processing.
📒 DSAR FAQ (Data Subject Access Requests).
📒 Guidance for Organisations Engaging Cloud Service Providers.
📒 Guidance on direct marketing and GDPR requirements.
📒 Guide for users about app permission requests.
📒 Guidance on Requesting Personal Data from Prospective Tenants.
📒 Transfers of personal data to third countries or international organisations.
📒 Guidance on CCTV in the home.
📒 Guidance Note on Data Protection Basics.
📒 Quick Guide to GDPR Breach Notifications.
📒 Definition to the ‘right to be forgotten’ or the right to erasure as stated in arts. 17 and art. 19 of the GDPR.
📒 Guidance on the Use of CCTV – For Data Controllers.
📒 Guidance on Data Sharing in the Public Sector.
📒 Elections and canvassing: Data Protection and Electronic Marketing – the data protection rights of individuals.
📒 Guidance for Drivers on use of “Dash Cams”.
📒 FAQ on the topic of access to banking data.
📒 Approval of the ‘Code of conduct for credit reporting systems operated by private entities regarding consumer credit, creditworthiness and punctuality in payments’.
📒 Rules on processing personal data in the context of political campaigns.
📒 Severely restricts situations when legitimate interest ca be relied on as a legal ground for personal data processing (read here a summary in English).
📒 Further guidance on data breaches.
📒 Indication for the application of pecuniary sanctions under the GDPR (available in Dutch).
📒 Introduction to the hash function as a personal data pseudonymisation technique
📒 Opinion on DNS security, data protection, and privacy.
📒 Guide on the protection of personal data of patients.
📒 Guidelines on privacy by design.
📒 Joint Statement On Data Processing And Artificial Intelligence.
📒 Technical paper on transparency for mobile apps (full document here in Spanish).
📒 Report on the first year of GDPR application.
📒 Technical studies regarding the Android Operating System: User control over the personalization of advertisements and App access to the device screen. The studies are aimed at developers and users alike.
📒 Analysis on the data processing operations conducted via drone.
📒 Survey regarding the use of device fingerprinting.
📒 Guide on personal data breach management and notification.
📒 Guidance on the processing of special categories of personal data.
📒 Modified guidance on calculating the timescales for responding to data subject access requests.
📒 Cookie guidance.
📒 Update report into adtech and real time bidding.
📒 GDPR – one year on.
📒 Information for medical practitioners with regard to patients’ access to medical data.
November’s data protection news: ● In a demoralising turn of events, the development of the ePrivacy Regulation proposal has come to a standstill ● Guidelines and reports from EU data protection authorities ● Cases and decisions from EU Member States ● Enforcement actions taken by National Data Protection Authorities ● Recommended articles.
It seems like time is rushing us, but take a moment to think about the importance of last month’s events for European data privacy: ● Data controllers in Romania start to feel the pressure of GDPR and ePrivacy enforcement, after a list of 55 corrective measures was published by the Data Protection Authority (ANSPDCP). ● Many useful guidelines were published by EU Member States’ DPAs – Spain shows us the rules of privacy by design, Ireland is active on the topic of Data Protection Impact Assessments, Data Subject Access Request and Cloud Service Providers. ● The European Court of Human Rights decides on covert video surveillance at work. ● Romania has new legislative developments concerning electronic signature and the transposition of PDS2. ● Enforcement actions taken by National Data Protection Authorities. ● Recommended articles. ● More data protection news from Europe.
Acestea sunt doar câteva din punctele nevralgice care trebuie să fie tratate pentru a implementa corect obligațiile de protecție a datelor: 1. Confuzia dintre consimțământul pentru intervenții medicale și consimțământul pentru prelucrarea datelor personale. 2. Informarea despre prelucrarea datelor personale. 3. Proceduri interne pentru gestionarea cererilor de la persoanele vizate. 4. Inventarierea categoriilor de date prelucrare și a activităților de prelucrare. 5. Identificarea vulnerabilităților și abordarea riscurilor.
September’s data protection news: ● Erase and rewind: new CJEU case-law on right to be forgotten ● CJEU: cookies still in the limelight ● The scope of the right to access ● Romania: NIS Directive transposed ● EU: upcoming case-law & ePrivacy update ● Guidelines and reports from EU data protection authorities ● Cases and decisions from EU Member States ● Enforcement actions taken by National Data Protection Authorities ● Recommended articles.
This summer’s data protection news: ● The battle for cookies – ICO and CNIL issue new guidance, but the trenches of online profiling are hard to control ● CJEU’s Fashion ID – another case of joint controllers ● The pitfalls of relying on employee consent – a case from Greece ● New legislation in Romania wants to identify SIM card holders and monitor sex offenders ● Summary of first 4 GDPR fines in Romania ● News on EU legislative measures ● Guidelines, reports and recommendations from EU institutions and organizations ● Cases and decisions from EU Member States ● Enforcement actions taken by National Data Protection Authorities ● Data breaches and other cyber incidents ● Recommended articles ● More data protection news from Europe and worldwide.
Last month in data protection news: ● In cahoots with Facebook whether you like it or not: a feature story about being joint controllers with Facebook when you create a page ● GDPR in 1 year: links to all the articles we found with anniversary facts and figures ● An apple a day: Dutch Data Protection Authority issues guidance on treatment of medical data ● Political targeting online – a new frontier for privacy discussions ● Data protection guidelines and reports from EU institutions ● Cases and decisions from EU Member States ● Enforcement actions taken by National Data Protection Authorities ● Data breaches and other cyber incidents ● Recommended articles ● More data protection news from Europe and worldwide.
Last month in data protection news: ● Voice recordings: a feature story on new cases about the legal treatment of voice recordings, depending on the purpose of their use ● Data Protection Impact Assessments ● EU Legislation watch: news about legislative processes ● Romania: helpline for cybersecurity threats launched ● CNIL: 2018 activity report & 2019 enforcement strategy published ● Data protection guidelines and reports from EU institutions. ● Cases and decisions from EU Member States ● Enforcement actions taken by National Data Protection Authorities ● More data protection news from Europe and worldwide.
Prelucrarea datelor de sănătate în domeniul medical este sursa unor constante practici eronate. Între altele, în mod curent este apreciat greșit temeiul prelucrării datelor personale, fiind solicitat consimţământul pacienţilor deși el nu este necesar și nici oportun. Se face o confuzie între consimţământul pacientului pentru actul medical (care este obligatoriu) și consimţământul pentru prelucrarea datelor (care este doar o opţiune dintre cele prezentate la art. 9 GDPR).
În realitate, solicitarea consimţământului unui pacient pentru prelucrarea datelor sale medicale nu este o opţiune viabilă. Pacientul nu poate refuza fără să suporte o consecinţă negativă (neprestarea actului medical) iar mai apoi nu își poate retrage consimţământul, ceea ce înseamnă că prezentarea existenţei unei opţiuni este înșelătoare. Medicii au însă la îndemână o altă opţiune inserată în GDPR special pentru ei, anume art. 9.2.h GDPR: „prelucrarea este necesară în scopuri legate de medicina preventivă sau a muncii, de evaluarea capacității de muncă a angajatului, de stabilirea unui diagnostic medical, de furnizarea de asistență medicală sau socială sau a unui tratament medical sau de gestionarea sistemelor și serviciilor de sănătate sau de asistență socială, în temeiul dreptului Uniunii sau al dreptului intern sau în temeiul unui contract încheiat cu un cadru medical și sub rezerva respectării condițiilor și garanțiilor prevăzute la alineatul (3)”.
Acesta și alte aspecte importante pentru prelucrarea datelor de sănătate au fost prezentate de Andreea Lisievici în cadrul unei mini-serii de seminarii Wolters Kluwer. Iar pentru că tema este una de interes practic ridicat, facem publică prezentarea susţinută.