Tag: GDPR

Microsoft violates the GDPR on a massive scale

20. November 2018

A Data Protection Impact Assessment (DPIA) outsourced by the Dutch Ministry of Justice and Security, concluded that Microsoft collects and stores personal data of Office users on a large scale without informing them. According to this report, Microsoft thus violates the General Data Protection Regulation (GDPR) on a massive scale.

The DPIA was carried out to probe the use of Microsoft Office in the public sector. Most of the Dutch authorities use Microsoft Office 2016, Office 365 or an older version. The Dutch judiciary, police, various ministries and tax offices use Word, Excel, Outlook and PowerPoint. The DPIA found that Microsoft not only collects and stores personal data but also send them to the US. In addition, users are not informed and it is not offered to switch off the collection or to see what data are collected. The Assessment outlined eight different risks and possible risk mitigating measures. One example is the “Lack of Transparency”. A possible measure recommended for Microsoft is the public documentation and the implementation of a data viewer tool because at the moment the content of the diagnostic data (i.e. “all observations stored in event logs about the behaviour of individual users of the services”) is not accessible.

Microsoft stated that -for the examined Office versions- between 23,000 and 25,000 event logs are sent to Microsoft servers and that 20 to 30 development teams analyse the data. The company agreed to change its practices by April 2019 and until then offers “zero exhaust” settings to shut down the data collection. A Microsoft spokesperson told The Register: “We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws.”

In addition to applying the new settings, the DPIA encourages users to deactivate Connected Services and Microsoft’s data sharing system, not use the web-based Office 365, SharePoint, or OneDrive, delete the directory of the system, and consider using alternative software.

Privacy International accuses seven companies of violating the GDPR

13. November 2018

On November 8th, Privacy International – a British non-governmental organisation – has filed complaints against seven data brokers (Axiom, Oracle), ad-tech companies (Criteo, Quandcast, Tapad) and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland and the UK.

Privacy International accuses those companies of violating the GDPR: They all collect personal data from a wide variety of sources and merge them into individual profiles. Therefore, information from different areas of an individual’s life flow together to create a comprehensive picture e.g. online and offline shopping behaviour, hobbies, health, social life, income situation.

According to Privacy International, the companies not only deal with the collected data, but also with the conclusions they draw about their data subjects: Life situation, personality, creditworthiness. Among their customers are other companies, individuals and governments. Privacy International accuses them to violate data protection principals such as transparency, purpose limitation, data minimisation, integrity and confidentiality.

Furthermore, the companies have no valid legal basis for the processing of personal data, in particular for the purpose of profiling. According to Privacy International, where those companies claim to have the consent of the data subjects, they cannot prove how this consent was given, nor that the data subjects voluntarily provided it after sufficient and clear information.

“Without urgent and continuous action, data will be used in ways that people cannot now even imagine, to define and manipulate our lives without us being to understand why or being able to effectively fight back,” Frederike Kaltheuner, Privacy International’s data exploitation programme lead, said.

With its complaint, Privacy International takes advantage of a new possibility for collective enforcement of data protection created by the GDPR. The Regulation allows non-profit organisations or associations to use supervisory procedures to represent data subjects (Art. 80 GDPR).

400,000€ fine for a Portuguese hospital

24. October 2018

The Portuguese data protection supervisory authority CNPD (Comissão Nacional de Protecção de Dados) recently announced that the hospital Barreiro Montijo is to pay a fine of 400,000€ for incompliancy with the EU General Data Protection Regulation (GDPR). This is the first time that a high fine has been imposed in Europe based on the new GDPR framework of fines.

According to Portuguese newspaper Público, the hospital has violated the GDPR by allowing too many users to have access to patient data in the hospital’s patient management system, even though they should only have been visible to medical doctors. In addition, too many profiles of physicians have been created in the hospital system. The CNPD discovered that 985 users with the access rights of a medical doctor were registered, although only 296 physicians were employed in 2018.

The hospital now wants to take legal action against the fine.

Belgium publishes new data protection law

12. September 2018

On September 5 2018, the new data protection law (“Law of 30 July”) was published in the Belgian Official Gazette (“Belgisch Staatsblad”) and entered into force with this publication.

After the “Law of 3 December 2017”, which replaced the Belgian Privacy Commission with the Belgian Data Protection Authority (“Gegevensbeschermingsautoriteit”), the Law of 30 July is the second law that implements the General Data Protection Regulation (GDPR).

The laws regulate various essential areas of data protection. New regulations are for instance, the reducing of the age of consent from 16 (as regulated in GDPR) to 13 years old for information society services or the requirement to list persons who have access to genetic, biometric and health-related data. Therewith, Belgium has also made use of the possibility to deviate from the GDPR in different scopes.

With the law of 30 July, Belgium has thus completed the incorporation of the GDPR into national law. The Law is available in French and Dutch.

Category: Belgium · GDPR
Tags: ,

WP 29 adopts guidelines on transparency under the GDPR

21. December 2017

The Article 29 Working Party (WP 29) has adopted guidelines on transparency under the General Data Protection Regulation (GDPR). The guideline intends to bring clearance into the transparency requirement regarding the processing of personal data and gives practical advice.

Transparency as such is not defined in the GDPR. However, Recital 39 describes what the transparency obligation requires when personal data is processed. Providing information to a data subject about the processing of personal data is one major aspect of transparency.

In order to explain transparency and its requirements, the WP 29 points out “elements of transparency under the GDPR” and explains their understanding of these. The following elements are named and described:

– “Concise, transparent, intelligible and easily accessible”
– “Clear and plain language”
– “Providing information to children”
– “In writing or by other means”
– “..the information may be provided orally”
– “Free of charge”

In a schedule, the WP 29 lists which information under Art. 13 and Art. 14 GDPR shall be provided to a data subject and which information is not required.

Many companies have not started preparing for the GDPR

27. June 2017

The General Data Protection Regulation (GDPR) will be applicable to all EU Member States from May 25th 2018. The GDPR will not just apply to EU companies, but also to non-EU companies that have dealings with data subjects that are located in the EU (see also Art. 3 (2) GDPR).

Companies, in specific, that fall under the regulations of the GDPR should be prepared to fulfil the requirements that are stated by the GDPR, due to the risk of an imposition of a fine if they fail to comply with the GDPR. This is in particular relevant since the fines for infringements of the GDPR have increased significantly (see also Art. 83 GDPR).

The implementations that companies have to make to comply with the GDPR involve high expenses and probably will be more time consuming than expected in most cases, depending on the size and complexity of the company. Especially the time factor has to be considered since it is less than a year left until May 2018.

However, according to a report of TrustArc, 61 % of the asked companies have not yet started with the implementation of their GDPR compliance programs.

TrustArc interviewed 204 privacy professionals from companies of different industries that will fall under the GDPR. These companies were divided into three categories based on the count of their employees: 500-1000 employees, 1000-5000 employees and more than 5000 employees.

23 % stated that they have started with the necessary implementations, 11 % that the implementations are driven forward and just 4 % stated that they had finished all necessary implementations to reach GDPR compliance.

The Report also shows the cost that companies expect to be need to implement what will be necessary to comply with the GDPR. Overall, 83% expect that their expenses will be in the six figures.

Article 29 WP will release guidelines on the GDPR by the end of 2016

26. October 2016

As Bloomberg reports, the Article 29 WP will provide guidance on the GDPR soon. Isabelle Falque-Pierrotin, Chairwoman of the CNIL as well as of the Article 29 WP, acknowledged that the GDPR text is ambiguous in some aspects. Therefore, these guidelines aim at serving as an operational toolbox.

Amongst others, the guidance to the GDPR shall refer to the following aspects:

  • The designation of the leading Supervisory Authority in case of complaints or in relation to other procedures. Moreover, aspects of the bilateral cooperation and competence to resolve disputes by the Supervisory Authorities and the European Data Protection Board shall be clarified.
  • Guidance on the figure of Data Protection Officers is one of the priorities of the Article 29 WP, as it will play an essential role in companies on achieving GDPR compliance.
  • The right to data portability has been regulated for the first time in the GDPR. This right will allow data subjects to access their data and transfer data to other data controllers, for example upon the change of telephone provider. The guidance should focus on its scope and implementation.
  • The standard by which the proof of consent will take place, will have to be specified. This is especially important for small and medium-sized companies, for which a “simple pedagogical tool” will be developed.
  • A formal guidance on the Privacy Shield will not take place until the EU Commission has reviewed its functioning after the first year, this is summer or early fall 2017.

At the moment, the Article 29 WP remains neutral with regard to the Brexit. However, Falque-Pierrotin remarked that the Privacy Shield may be also useful in UK regarding international data flows with the U.S.A.

Further guidance is also expected in 2017, especially regarding topics such as the EU-U.S. Privacy Shield and the implication of the Brexit in privacy issues.

UK Data Protection Commissioner speaks about “Brexit” and the GDPR

5. October 2016

Last week, Elizabeth Denham, held her first speech as UK Information Commissioner (ICO). In this speech she referred, amongst others, to the effects of the Brexit with regard to the application of the GDPR.

Denham remarked that the GDPR involves the modernization of European Data Protection and the necessity of these new rules in order to ensure cross-border commerce and the protection of individuals. As the GDPR may be applicable before the UK has left the EU, she ensured that the ICO will keep on providing guidance and advice on the GDPR.

Furthermore, she stated that even after the UK has formally left the EU, flows of personal information will be still necessary, so that the level of data protection in the UK should be essentially equivalent to the one in the EU. Therefore, she encourages businesses to improve and adapt their practices to the GDPR.

Category: GDPR · UK
Tags: , ,

Survey results about the impact of the GDPR and the EU-U.S. Privacy Shield published

4. August 2016

Recently, the IAPP (International Association for Privacy Professionals) published the results of a survey carried out by Baker & McKenzie regarding the perspectives and expectations that Privacy Professionals have about the changing legislative scope in the field of Data Protection.

The participants were senior managers and individuals involved in the fields of data protection and data security that belonged to multi-national organizations, government agencies, regulatory bodies or policy and academic institutions.

Most of the respondents acknowledge that both, GDPR and Privacy Shield, imply that organizations have to implement an action-plan accordingly. This will imply higher costs and efforts. Furthermore, 70% of the respondents stated that the most difficult requirements of the GDPR to comply with are consent, data mapping and international data transfers. A 45% stated that their organization does not have adequate tools currently to be compliant and implementing the required tools may be involved with significant costs.

Moreover, the majority of the participants recommended organizations to self-certify as soon as possible, so that they would still have nine months to make contractors also comply with the principles. Also, they believe that the Privacy Shield should be complemented by other mechanisms to transfer personal data such as Binding Corporate Rules or Standard Contractual Clauses.

75.4% of Cloud Apps are not compliant with GDPR

18. July 2016

According to the Netskope Cloud Report from June 2016, almost 75.4% of the cloud apps are not compliant with the GDPR. The main reason for this incompliance is the lack of awareness that most organizations have about the amount of cloud apps being used at the company.

The compliance evaluation was based on eight aspects of the GDPR: geographic requirements, data retention, data privacy, terms of data ownership, data protection, data processing agreement, auditing and certifications.

Compliance with the GDPR involves not only that customers as data controllers implement the provisions of the GDPR accordingly, but also that cloud apps vendors (as data controllers) are also compliant. This compliance requirement of the data processor is one of the new requirements that the GDPR imposes. Data processors are also subject to strict data processing requirements and are liable for breach of their obligations. This way, customers are liable for the use they make of the cloud apps and cloud vendors are liable for inherent security and enterprise-readiness.

The report reveals that the main incompliances relate to the data export requirements after termination of service, to excessively long retention periods and to data ownership terms. Moreover, malware also represents an increasing problem regarding cloud apps.

Upon the entry into force of the GDPR, companies shall be able to

  • Identify existing cloud apps in their organization and analyze the risks involved
  • Identify cloud apps storing sensitive data
  • Adopt measures in order to be compliant according to the eight main aspects mentioned above
  • Identify cyber threats and implement adequate measures to safeguard personal data
Pages: 1 2 Next
1 2