Observations on Office Re – Engineering: Privacy Offices and Research Offices

Earlier today I had the opportunity to watch the highly useful IAPP webinar entitled What Works: Benchmarking and Improving your Privacy Program. I was particularly intrigued by the comments directed at improving / re - engineering a privacy office. The presenters emphasized the constant evolution of privacy regimes on a global scale, and that today … Continue reading Observations on Office Re – Engineering: Privacy Offices and Research Offices

On a crucial importance of TOMs under GDPR Article 32

DPA of Baden-Württemberg (Germany) fined a health insurance company 1'240'000 EUR for insufficient implementation of TOMs resulted in personal data of app. 500 individuals being accidentally processed for advertising purposes without due consent.  The fine is quite high, especially given that there have been some mitigating factors in this case: not too many data subjects … Continue reading On a crucial importance of TOMs under GDPR Article 32

Tiktok moves under control of Irish DPC

From 29 July 2020 onwards, Tiktok Ireland will control the data of all users in the EEA and Switzerland. Nothing specific, just another smart move of a non-EEA company (parental company Tiktok Inc incorporated in the US) in an attempt to use one-stop-shop mechanism via its EEA subsidiaries. Except for one thing. The recent French … Continue reading Tiktok moves under control of Irish DPC

An interesting twist in the ‘cookie walls’ saga.

France's Council of State has ordered the CNIL (French data protection watchdog) to cancel parts of its guidelines on cookies as the ban on cookies walls was not valid. The court explained that the CNIL exceeded its specific mandate under an act called "flexible law" which refers to instruments, such as regulatory authorities' guidelines, which … Continue reading An interesting twist in the ‘cookie walls’ saga.

Breaking news: EDPB has published the “one-stop-shop” decision register.

Being a great tool for privacy pros to keep up to date with extensive case law, it also increases the overall awareness of how data protection laws are applied in cooperation between the lead DPA and the other DPAs concerned (the GDPR Article 60). As I expect more comments on this occasion in the days/weeks … Continue reading Breaking news: EDPB has published the “one-stop-shop” decision register.

Interplay between the GDPR Articles 25 (‘Data protection by design’, DPbD) and 35 (DPIA).

One is not a ‘special case’ of another as it may seem prima facie. The KEY consideration here is that DPIA is conducted prior to rolling out new projects implying data processing operations posing a high risk and thus tailored specifically to them. In contrast, DPbD comes into play at the very earliest stage of … Continue reading Interplay between the GDPR Articles 25 (‘Data protection by design’, DPbD) and 35 (DPIA).

CJEU & legitimate interest in scope: what the controller should remember of.

CJEU gave the Judgement in the course of a preliminary ruling on whether Articles 6(1)(c) and 7(f) of the Data Protection Directive (95/46/EC) precluded national law from allowing installation of a CCTV system in the common parts of a residential building, relying on a legitimate interest (Case C-708/18).   The overall answer is "No, it … Continue reading CJEU & legitimate interest in scope: what the controller should remember of.

Belgian data protection watchdog sends controversial ‘message’ with regard to non-profit data controllers.

An interesting GDPR enforcement case came from Belgium in late May. Imagine that a data controller is sending unsolicited postal communications and ignoring data subject rights to object (Article 21) and to be forgotten (Article 17). On top of that, it misidentified legal basis and relied on the legitimate interest instead of consent (of course, … Continue reading Belgian data protection watchdog sends controversial ‘message’ with regard to non-profit data controllers.

‘Privacy by design’: does all begin with corporate privacy culture?

In scope - a useful hands-on guidance from IAPP authors for privacy pros on what to focus when taking very first steps to internalize PbD principle. It may come as a surprise for us being buried under tons of privacy-related papers that the author suggests to begin with the inner privacy culture and getting C-level … Continue reading ‘Privacy by design’: does all begin with corporate privacy culture?

A “purpose”​ element: what is inside the controller’s mind?

In 'Opinion 4/2007' on the concept of personal data, Working Party 29 ('WP29’) identified four building blocks in the definition of personal data - ‘any information’, ‘relating to’, identified or identifiable’, ‘natural person’. They remained the same in the GDPR, thus rendering ‘Opinion 4/2007’ relevant for understanding the concept of personal data.  However, WP29, instead … Continue reading A “purpose”​ element: what is inside the controller’s mind?