Category: Personal Data

Being IT-Manager and Data Protection Officer? German Data Protection Authority sees this as a conflict of interest

24. November 2016

Background information:

Due to the fact that the German Federal Data Protection Act states that companies must appoint a Data Protection Officer if at least ten persons are involved in the automated processing of personal data, companies are asked to appoint an employee as an internal Data Protection Officer or appoint an external Data Protection Officer. In general, the Data Protection Officer needs to have the necessary knowledge of data protection law and must also be reliable and independent. Furthermore, a Data Protection Officer is reliability and independency in case he/she does not have other obligations which could lead to a conflict of interest.

What happened?

A German Data Protection Authority just fined a company as it appointed an internal Data Protection Officer who was also the IT-Manager. The Data Protection Authority argued that the position of an IT-Manager is incompatible with the position of the Data Protection Officer due to the fact that the Data Protection Officer would be required to monitor himself/herself. The Data Protection Authority explained that such self-monitoring is contradictory to the required independency that is necessary.

This is a very important statement as the upcoming GDPR requires the appointment of a Data Protection Officer as well and states further that it is not allowed that any further tasks and oblgations of the Data Protection Officer result in a conflict of interests – Having in mind that a violation of this may result in fines of up to 10.000.000 EUR or up to 2 % of the total worldwide annual turnover, whichever is higher.

White Paper on the role of DPOs according to the GDPR

22. November 2016

A White Paper on Ensuring the Effectiveness and Strategic Role of the Data Protection Officer under the General Data Protection Regulation was just released by the Centre for Information Policy Leadership at Hunton & Williams LLP.

The White Paper provides guidance and recommendations in terms of the implementation requirements of the GDPR concerning the role of the Data Protection Officer, DPO.

According to the privacy and information Blog of Hunton & Williams, the mentioned White Paper aims

  • “to serve as formal input to the Article 29 Working Party’s work on developing further guidance on the proper implementation of the DPO role under the GDPR, which is expected to be finalized by the end of December and
  • to provide guidance for companies that must comply with the GDPR’s DPO provisions by May 25, 2018 (i.e., the date the GDPR becomes effective).”

FBI statistic: 87% of the needed data could be accessed in 2016

15. November 2016

Motherboard online just published numbers that were disclosed by the FBI concerning whether the FBI is able to unlock most devices they need to get into.

According to General Counsel Jim Baker the FBI is able to unlock or/and access data stored on both smartphones and computers. This statement is supported by the numbers that were released.

In 2016 the FBI

  • has encountered passwords or passcodes in 2,095 out of 6,814 – 31%,
  • with regard to the 2,095 devices that were locked, the investigators were able to get access in 1,210 cases and
  • couldn’t unlock around 880 devices.
  • In conclusion, in the vast majority of cases, namely 87%, the FBI was able to access the data that was needed.

Concidering that the FBI and Apple fought in court earlier this year regarding the FBI’s request to help breaking into the iPhone of an alleged terrorist who killed 14 people in a shooting and that this case led to a battle on encryption in which the FBI argued that encryption, which cannot be broken, supports criminal investigations rather than making them harder due to the fact that access to the data can sometimes lead to important evidence on a suspect or on a victim’s phone or computer.

However, the mentioned numbers, that have so far never been published, “demonstrate that even with encryption turned on by default on all newer iPhones and some Android phones, it is posing a problem in a relatively small number of cases – while that same encryption is presumably preventing a wide range of crimes”, according to Kevin Bankston, the director of the New America.

 

INTERPOL suggests that governments share terrorists’ biometric data

11. November 2016

The IAPP just published an article saying that INTERPOL calls on governments around the world to share terrorists’ biometric data in order to increase global security.

This statement was issued by INTERPOL’s General Assembly saying that it currently possesses information about 9,000 terrorists. However, only 10 percent of these files include biometric information. INTERPOL’s Secretary General, Jürgen Stock, explaines that this can be seen as “a weak link” in the prevention of terrorism.

On one side, some countries – among these are multiple ASEAN countries – have taken big steps with regard to data sharing as they have recently agreed to share biometric data for the purposes of counter-terrorism. On the other side, many governments are still discussing how to handle biometric data domestically. So the sharing of data would be one step ahead.

However, governments worldwide becoming more and more interested in biometric security which might help to fight terrorism. The mentioned suggestion of INTERPOL might also increase this kind of cooperation.

 

“We need to have a wide discussion about data in Germany”

10. November 2016

Reuters online reported that Telefonica Deutschland’s chief executive, Thorsten Dirks, said in an interview “People are right to scrutinize any attempt to make money off their data. At the same time they are a handing over data voluntarily to companies such as Google and Facebook”. He concludes that there is a double standard among consumers.

At the moment Telefonica Deutschland holds anonymized data of 44 million mobile customers. These information could be used to track the movements of crowds and traffic, as well as “many other areas that we at the moment cannot think of”, according to Dirks.

Dirks explained that Telefonica aims to be a platform for all devices connected to the internet and therefore processing all sorts of data gathered from sensors in cars, electronic devices and household apparel.

German Office for Information Security declares: sensitive data is very low protected on smartphones

9. November 2016

The German Office for Information Security (BSI) published a survey concerning the security of personal data on smartphones.

  • 20,7 % of smartphone users do not have any security measures implemented against unauthorized access.
  • However, 74,6 % of smartphone users store sensitive data on their mobile device. This data includes for example pictures, videos, contact inforamtion, passwords and health data.
  • Not even 46,3% of smartphone users have basic protection measures implemented, such as software updates.

Arne Schönbohm, chairman of the BSI, commented in the respective press release that although smartphones can be seen as a computers in your pocket, the necessary security measures have not yet been established on these as on your computer at home.

 

Category: German Law · Personal Data
Tags:

Mass Audit in Germany concerning 500 firms’ cloud transfers

8. November 2016

As the IAPP just published online, 10 of the 16 German Data Protection Authorities, have begun to assess firms’ transfer of personal data to cloud services based outside of the EU.

According to a joint statement of the respective Data Protection Authorities this is due to the fact that cross-border personal data transfers are growing massively, because of globalization and the rise of software-as-a-service.

Therefore, a mass audit is conducted, which takes about 500 randomly selected companies of various sizes into account. This audit is based on questionnaires asking about their transfers of employee and customer personal data to third countries, in particular to the U.S. while using services such as:

  • office apps,
  • cloud storage,
  • email and other communications platforms,
  • customer service ticketing,
  • support systems and
  • risk management and compliance systems.

In case a company transfers personal data to third countries, it has to show the legal grounds they are using, for example Standard Contractual Clauses or the EU-U.S. Privacy Shield.

The Article 29 Working Party talks about the EU-U.S. Umbrella Agreement

2. November 2016

The Article 29 Working Party published a statement on the EU-U.S. Umbrella agreement at the end of October.

On one side, the statement shows signs of support for the EU-U.S. Umbrella Agreement. However on the other side, it delivers recommendations in order to make sure that the agreement is compliant with European data protection law.

In general, the Article 29 Working Party supports the creaction of a general data protection framework in order for international data transfers to be compliant with national, European and international data protection laws.  Therefore, the Article 29 Working Party elaborates that the respective agreement “considerably strengthens the safeguards in existing law enforcement bilateral treaties with the U.S., some of which were concluded before the development of the EU data protection framework”. 

However, it is also mentioned that clarification is needed in terms of definitions, for example how to define personal data and data processing, due to the fact that European and U.S law have different opinions on what is meant by these terms.

According to a global survey companies are not ready for the GDPR

12. October 2016

Dell just published the results of a global survey about the GDPR perceptions and readiness. Among other findings, the main result is the lack of awareness of the requirements, the preparation and the impact:

  • More than 60 % answered that they are aware that something is going on with the GDPR. However, they said that they do not know what exactly is happening.
  • Just 4 % outside of Europe commented that they are very knowledgeable about the details of the GDPR. Nevertheless, only 6 % of those in Europe answered that they are very familiar with the requirements.
  • On top of this, less than 1 of 3 companies feel that they are prepared for the GDPR.
  • Furthermore, about 70 % said that their company is definitely not, or do not know if their company is, prepared for the GDPR today. However, only 3 % of them have a plan in order to get ready.
  • Fewer than 50 % commented that they feel confident to be ready in time when the GDPR comes into effect in 2018. Nevertheless,  just 9 % expect to be fully prepared.

 

Spains DPA: Investigations due to WhatsApp sharing data with Facebook

10. October 2016

After Hamburg’s Data Protection Commissioner strongly recommended that Facebook should stop processing German data gained from WhatsApp, after the U.K. Information Commissioner, the ICO, also started to investigate the agreement betweent WhatsApp and Facebook and after Italy’s data protection authority, the Garante, has started to look into this issue, now Spain’s data protection authority, the AEPD, raises concerns.

Therefore, Spain’s data protection authority advises users to read the terms and conditions especially before accepting them. Furthermore, it offers guidance on changing the respective settings.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 Next
1 7 8 9 10