This is an interesting case, and not only for the reasons mentioned in the press. It doesn't give us much to work with but... What strikes me, which is often overlooked by organisations are that employees and ex-employees -as is the case here- have rights under GDPR. Every employee is a data subject.... although of … Continue reading The ex-employee & data subject rights
Grab a cup of coffee... or maybe a beer is more appropriate.. after all it is a pub chat 🙂 Ralph is a unique, super interesting privacy guy which you will enjoy spending some time with! https://www.youtube.com/embed/UwfiwGF6vJo
Given the recent Post by Konstantin I thought it made sense to write a brief Post on what a cookie wall actually is... after all it really is not obvious, or is it? Just in case it is not here we go. A cookie wall makes it impossible for visitors to browse a website without … Continue reading What is a ‘cookie wall’?
I watched the congressional testimony on Capitol Hill today regarding the pandemic, and listened to the medical experts from NIH/NIAID, CDC, FDA, and the Administration. Their observations got me thinking about the concept of culture change and how much we are hearing about how the pandemic is changing (or going to change) cultural norms and … Continue reading Culture Change During this Momentous Time
France's Council of State has ordered the CNIL (French data protection watchdog) to cancel parts of its guidelines on cookies as the ban on cookies walls was not valid. The court explained that the CNIL exceeded its specific mandate under an act called "flexible law" which refers to instruments, such as regulatory authorities' guidelines, which … Continue reading An interesting twist in the ‘cookie walls’ saga.
Being a great tool for privacy pros to keep up to date with extensive case law, it also increases the overall awareness of how data protection laws are applied in cooperation between the lead DPA and the other DPAs concerned (the GDPR Article 60). As I expect more comments on this occasion in the days/weeks … Continue reading Breaking news: EDPB has published the “one-stop-shop” decision register.
PwC developed a facial recognition tool that logs when employees are absent from their computer screens while they work from home. In particular, there have to be a specific excuse for any absence (including toilet breaks). Too invasive? No doubt. Disproportionate with no likely legal grounds? WP29 Opinion 2/2017 on data processing at work suggests … Continue reading PwC vs. employee privacy
One is not a ‘special case’ of another as it may seem prima facie. The KEY consideration here is that DPIA is conducted prior to rolling out new projects implying data processing operations posing a high risk and thus tailored specifically to them. In contrast, DPbD comes into play at the very earliest stage of … Continue reading Interplay between the GDPR Articles 25 (‘Data protection by design’, DPbD) and 35 (DPIA).
A thorough analysis of clear things and grey zones of the EDPB Guidelines 3/2018 on territorial scope. My attention was, in particular, drawn by a friendly reminder that a status of a non-EU processor is dual as per Article 3(2): it is indirectly influenced by the GDPR if carries out processing on behalf of a … Continue reading Status of non-EU processors under Article 3(2) GDPR
An old issue each privacy pro learnt by heart: "risk of negative consequences (e.g. substantial extra costs)" for data subject = no freely-given consent. Substantial. But what if extra costs are not substantial? What if, say, 10$ turns into 11$ if you refuse to consent? Is it ok? At leats, German watchdog seems to say … Continue reading Ticking time-bomb in the EDPB Guidelines on consent?