CASES, SANCTIONS AND CLAIMS
- The Ministry of Justice and Security Strategic Vendor Management Microsoft published a DPIA report diagnostic data processing in Microsoft Office 365 for the Web and mobile Office apps.
- The Finnish Data Protection Authority imposed a fine on an organization for failing to do a data protection impact assessment (DPIA) before starting the data processing related to security camera surveillance, location data processing and automatic decision-making and profiling in the context of the loyalty program.
- Finnish DPA imposed three administrative fines for data protection violations. These violations concerned giving insufficient information on data protection rights, neglecting to conduct a data protection impact assessment and the unnecessary collection of personal data.
- Finland DPA has imposed an administrative fine of €72,000 against taxi company Taksi Helsinki for data protection violations. Among other, the company failed to conduct the impact assessments required by GDPR before the start of processing.
- The Norwegian Data Protection Authority imposed a fine on the Rælingen municipality for failure to do a DPIA before processing personal data in a digital learning platform.
REPORTS AND ARTICLES FROM OTHER ORGANISATIONS
- Fieldfisher publishes a table with processing activities which trigger the obligation to conduct a DPIA, based on national “DPIA blacklists” (direct download here).
- Dr. Márton Domokos: EU: A fit-for-all DPIA for online marketing campaigns
OFFICIAL GUIDELINES, REPORTS AND STATEMENTS
- EDPS: DPIA List for EU institutions.
- CNIL: DPIA whitelist.
- Irish DPC: Guide to Data Protection Impact Assessments for any processing that is ‘likely to result in a high risk to individuals’, including some specified types of processing.
- Gibraltar: Data Protection Impact Assessment template.
- Irish DPC: guidance for controllers and processors whose business activities may require them to carry out a Data Protection Impact Assessment.
- EDPS: report on Data Protection Impact Assessment under Article 39 of the Regulation.
- The Spanish DPA (Agencia Española de Protección de Datos – AEPD) has published an English template for data protection impact assessment report.
- French CNIL: updated tool to conduct the DPIA. The open source PIA software facilitates the development and formalization of DPIA, as required by the GDPR.