Tag: guidance

Irish DPC updates Guidance on Data Processing’s Legal Bases

17. December 2019

The Irish Data Protection Commission (DPC) has updated their guidance on the legal bases for personal data processing. It focuses on data processing under the European General Data Protection Regulation (GDPR) as well as data processing requirements under the European Law Enforcement Directive.

The main points of the updates to the guidance are to make companies more sensitive of their reasons for processing personal data and choosing the right legal basis, as well as ensure that data subjects may be able to figure out if their data is being processed lawfully.

The guidance focuses on the different legal bases in Art.6 GDPR, namely consent, contracts, legal obligation, vital interests, public task or legitimate interests. The Irish DPC states that controllers do not only have to choose the right legal basis, but they also have to understand the obligations that come with the chosen one, which is why they wanted to go into further detail.

Overall, the guidance is made to aid both controllers and data subjects. It consists of a way to support a better understanding of the terminology, as well as the legal requirements the GDPR sets out for processing personal data.

CNIL publishes guidance on data sharing

18. January 2019

At the end of last year, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés”, the “CNIL”) published guidance on sharing data with business partners or third parties. The CNIL stated that many companies that collect data from individuals transfer this data to “business partners” or other organisations especially to send prospecting emails. In case of a transmission the data subjects must maintain control over their personal data .

The published guidance state the following five requirements:

• Prior consent: Before sharing data with business partners or third parties such as data brokers, organisations must request the individual’s consent.

• Identification of the partners: The individuals must be informed of the specific partner(s) who may receive the data. According to the CNIL’s guidance, the organisation can either publish a complete and updated list containing the organisation’s partners directly on the data collection form or if such a list would be too long, it can integrate a link to the collection form. This should be inserted together with a link to their respective privacy policies.

• Information of changes to the list of partners: The organisations have to notify the individuals of any changes to the list of partners, especially if they may share the data with new partners. Therefore, they may provide an updated list of their partners within each marketing message sent to the individual and each new partner that receives the individual’s data must inform him or her of such processing in its first communication to the data subject.

• No “transfer” of the consent: Companies may not share the information they receive with their own partners without obtaining the consent of individuals, in particular with regard to the identity of new companies that would become recipients of the subject’s data.

• Information to be provided by the partner(s): The partner who received the individual’s data for their own marketing purposes must inform the data subject of the origin (name of the organisation who shared the data with them) and inform them of their data subject rights, in particular the right to object to the processing.

Category: EU · French DPA
Tags: , ,