Tag: guidance

Greek Data Protection Authority releases Guidance on Cookies

16. March 2020

On 25 February 2020, the Hellenic Data Protection Authority (DPA) published a guidance on Cookies and other tracking tools. Previously, the Authority had found that Greek websites and service providers have been largely failing to comply with the rules on the use of Cookies and other trackers set out by the ePrivacy Directive and the GDPR, and reaffirmed by the European Court of Justice’s ruling on Planet 49.

The guidance states that it will be relevant to HTTP/S Cookies, Flash Cookies, local storage applying to HTML 5, device fingerprinting, OS identifiers, and material identifiers.

The Greek DPA reiterated that, generally, providers are obliged to obtain the user’s consent if they are using any tracking tools – irrespective of whether the processing of personal data is taking place. It also outlined that technically necessary trackers are exempt from the obligation to consent. Furthermore, the guidance goes into detail on how information and consent can be made available on websites specifically.

Lastly, the Authority has given Greek website providers a grace period of two months to implement the provisions of this guidance and thereby become compliant with the European rules on tracking tools.

Irish DPC updates Guidance on Data Processing’s Legal Bases

17. December 2019

The Irish Data Protection Commission (DPC) has updated their guidance on the legal bases for personal data processing. It focuses on data processing under the European General Data Protection Regulation (GDPR) as well as data processing requirements under the European Law Enforcement Directive.

The main points of the updates to the guidance are to make companies more sensitive of their reasons for processing personal data and choosing the right legal basis, as well as ensure that data subjects may be able to figure out if their data is being processed lawfully.

The guidance focuses on the different legal bases in Art.6 GDPR, namely consent, contracts, legal obligation, vital interests, public task or legitimate interests. The Irish DPC states that controllers do not only have to choose the right legal basis, but they also have to understand the obligations that come with the chosen one, which is why they wanted to go into further detail.

Overall, the guidance is made to aid both controllers and data subjects. It consists of a way to support a better understanding of the terminology, as well as the legal requirements the GDPR sets out for processing personal data.

CNIL publishes guidance on data sharing

18. January 2019

At the end of last year, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés”, the “CNIL”) published guidance on sharing data with business partners or third parties. The CNIL stated that many companies that collect data from individuals transfer this data to “business partners” or other organisations especially to send prospecting emails. In case of a transmission the data subjects must maintain control over their personal data .

The published guidance state the following five requirements:

• Prior consent: Before sharing data with business partners or third parties such as data brokers, organisations must request the individual’s consent.

• Identification of the partners: The individuals must be informed of the specific partner(s) who may receive the data. According to the CNIL’s guidance, the organisation can either publish a complete and updated list containing the organisation’s partners directly on the data collection form or if such a list would be too long, it can integrate a link to the collection form. This should be inserted together with a link to their respective privacy policies.

• Information of changes to the list of partners: The organisations have to notify the individuals of any changes to the list of partners, especially if they may share the data with new partners. Therefore, they may provide an updated list of their partners within each marketing message sent to the individual and each new partner that receives the individual’s data must inform him or her of such processing in its first communication to the data subject.

• No “transfer” of the consent: Companies may not share the information they receive with their own partners without obtaining the consent of individuals, in particular with regard to the identity of new companies that would become recipients of the subject’s data.

• Information to be provided by the partner(s): The partner who received the individual’s data for their own marketing purposes must inform the data subject of the origin (name of the organisation who shared the data with them) and inform them of their data subject rights, in particular the right to object to the processing.

Category: EU · French DPA
Tags: , ,