Category: General
16. March 2016
The Consumer Protection Association of North-Rhine Westphalia submitted a formal complaint against the Fashion ID, run by Peek & Cloppenburg. The Düsseldorf District Court in Germany had to rule, whether Peek & Cloppenburg was allowed to have the Facebook Like button on their shopping website. The court decided, that in this case the Facebook Like button was violating German and EU Data Protection Law. The Fashion ID was transferring the gathered information of its consumers to the social media, irrespective of whether the consumer was signed on Facebook or not. Furthermore, it was criticized, that the information of the personal data subject was also transferred to Facebook, without even clicking the Facebook Like button before.
The Court decided, that such a procedure is not compliant with the applicable law. Companies should therefore implement measures, that safeguard the personal data of the consumer and not transfer the gained information to other parties, without the informed consent of the data subject.
2. March 2016
According to an article on the International Association of Privacy website, Chinese privacy laws are still in their early stages and the existing laws are similar to international norms like notice and security. Nevertheless, the development of Chinese privacy law should not be ignored by companies, who wish to enter the Chinese market, since China is the growing economic power and has a wide consumer range. To understand Chinese privacy awareness, companies have to understand the cultural background and Chinese consumer expectations.
First of all, there should be a focus on community values, because the Chinese put a lot of importance to values and ethics. It is relevant to develop corporate policies, which show an understanding for the community values. For Chinese people it is important, that privacy law protects their private lives from community exposure.
Secondly, companies should try to understand the expectations of the Chinese consumers. The Chinese may be more open to data processing, especially if the processing leads to pragmatic outcomes, such as tailored features. Also, the Chinese may have fewer expectations towards privacy compared with other values, such as corporate transparency. Therefore companies should adjust their policies and put emphasis on transparency reports.
16. February 2016
The WP29 has recently published a statement with regards to the action plan in order to implement the EU GDPR (General Data Protection Regulation). The 2016 Action Plan is based on the following four priorities, which are relevant for the tasks of the WP29 and their subgroups.
1. Building up the EDPB (European Data Protection Board) structure and its administration
The main task will be developing IT systems. The European Data Protection Supervisor and the WP29 will furthermore cooperate to set up human resources, a budget and future procedures of the EDPB.
2. Setting up the One-Stop-Shop and the consistency mechanism
In order to prepare the One-Stop-Shop several measures will be necessary, e. g. a lead DPO will have to be designated and the EDPB consistency mechanisms need to be developed.
3. Publishing guidelines for data controllers and processors
The WP29 will publish different guidelines to assist data controllers and data processors in order to fulfil their duties according to the GDPR, such as the new right to portability, “Data Protection Impact Assessment”, and the announcement of a DPO.
4. Communication around the EDPB and the GDPR
The WP29 intends to create an online communication tool, to reinforce the relationship between the EU institutions and to participate in external events to promote the new governance model.
The subgroups of the WP29 will continue fulfilling their tasks. The International Transfers subgroup for instance will carry on analyzing the judgement of the European Court of Justice concerning e.g. the Schrems case. Furthermore, they will be analyzing the EU-U.S. Privacy Shield and its impact on the international data transfers once it has been released.
The WP29 will examine the 2016 Action Plan regularly in order to complete it in 2017.
2. February 2016
European officials and the U.S. agreed today on a new safe harbor agreement. The EU Article 29 Working Group had set a deadline until the end of January 2016 to find an alternative agreement, which was missed. The agreement still needs to be approved by the 28 member states. Further information on the new safe harbor agreement is expected after the EU Article 29 Working Group meeting, which is supposed to take place today and tomorrow.
22. January 2016
After several negotiations, the European Parliament, the European Council and the European Commission finally reached a consensus in December 2015 on the final version of the General Data Protection Regulation (GDPR), which is expected to be approved by the European Parliament in April 2016. The consolidated text of the GDPR involves the following practical consequences:
1) Age of data subject´s consent: although a specific, freely-given, informed and unambiguous consent was also required according to the Data Protection Directive (95/46 EC), the GDPR determines that the minimum age for providing a legal consent for the processing of personal data is 16 years. Nevertheless, each EU Member State can determine a different age to provide consent for the processing of personal data, which should not be below 13 years (Arts. 7 and 8 GDPR).
2) Appointment of a Data Protection Officer (DPO): the appointment of a DPO will be mandatory for public authorities and for data controllers whose main activity involves a regular monitoring of data subjects on a large scale or the processing of sensitive personal data (religion, health matters, origin, race, etc.). The DPO should have expert knowledge in data protection in order to ensure compliance, to be able to give advice and to cooperate with the DPA. In a group of subsidiaries, it will be possible to appoint a single DPO, if he/she is accessible from each establishment (Art. 35 ff. GDPR).
3) Cross-border data transfers: personal data transfers outside the EU may only take place if a Commission decision is in place, if the third country ensures an adequate level of protection and guarantees regarding the protection of personal data (for example by signing Standard Contractual Clauses) or if binding corporate rules have been approved by the respective Data Protection Authority (Art. 41 ff. GDPR).
4) Data security: the data controller should recognize any existing risks regarding the processing of personal data and implement adequate technical and organizational security measures accordingly (Art. 23 GDPR). The GDPR imposes strict standards related to data security and the responsibility of both data controller and data processor. Security measures should be implemented according to the state of the art and the costs involved (Art. 30 GDPR). Some examples of security measures are pseudonymization and encryption, confidentiality, data access and data availability, data integrity, etc.
5) Notification of personal data breaches: data breaches are defined and regulated for the first time in the GDPR (Arts. 31 and 32). If a data breach occurs, data controllers are obliged notify the breach to the corresponding Data Protection Authority within 72 hours after having become aware of it. In some cases, an additional notification to the affected data subjects may be mandatory, for example if sensitive data is involved.
6) One-stop-shop: if a company has several establishments across the EU, the competent Data Protection Authority, will be the one where the controller or processor’s main establishment is located. If an issue affects only to a certain establishment, the competent DPA, is the one where this establishment is located.
7) Risk-based approach: several compliance obligations are only applicable to data processing activities that involve a risk for data subjects.
8) The role of the Data Protection Authorities (DPA): the role of the DPA will be enforced. They will be empowered to impose fines for incompliances. Also, the cooperation between the DPA of the different Member States will be reinforced.
9) Right to be forgotten: after the sentence of the ECJ from May 2014, the right to be forgotten has been consolidated in Art. 17 of the GDPR. The data subject has the right to request from the data controller the erasure of his/her personal data if certain requirements are fulfilled.
10) Data Protection Impact Assesment (PIA): this assessment should be conducted by the organization with support of the DPO. Such an assessment should belong to every organization’s strategy. A PIA should be carried out before starting any data processing operations (Art. 33 GDPR).
Pages: Prev 1 2 3 ... 22 23 24 25 26 27 28 29 30 31 32