In a previous post, this blog reported on German guidance on the scope of the right of access under Art. 15 of the GDPR and in particular on the right to receive a copy. The Supervisory Authority of Hesse region stated that the term “copy” in Art 15 GDPR should not be understood literally but … Continue Reading
On July 10, 2019, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint assessment of the impact of the U.S. Clarifying Overseas Use of Data Act (“CLOUD Act”) on the legal framework for the protection of personal data in the EU. The EDPB is an independent body composed … Continue Reading
On July 12, 2019, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint opinion on the processing of patient data and the role of the European Commission within the eHealth Digital Service Infrastructure (“eHDSI”). Background The eHDSI system was established in the context of the eHealth Network. The … Continue Reading
Guidance on how to identify data subjects On July 1, 2019, the Bavarian Supervisory Authority for the public sector (“SA”) published guidance on how to verify the identity of data subjects exercising their data protection rights under the GDPR. The guidance is directed at public bodies, but is also helpful for private entities. According to … Continue Reading
On June 28, 2019, the French Supervisory Authority (CNIL) announced that it will issue new guidelines on the use of cookies for direct marketing purposes. It will issue these guidelines in two phases. First, during July 2019, the CNIL will update its guidance issued in 2013 on cookies. According to the CNIL, the 2013 guidance … Continue Reading
On April 10, 2019, European Commission Directorate-General for Health and Food Safety issued a revised Q&A analyzing the interplay between the EU Clinical Trials Regulation (“CTR”) and the EU General Data Protection Regulation (“GDPR”). The revised Q&A takes into account the opinion of the European Data Protection Board (“EDPB”) issued on January 23, 2019, on … Continue Reading
On April 3, 2019, the Association of German Supervisory Authorities (“Datenschutzkonferenz” or “DSK”) issued a paper (available here in German) on the interpretation of “broad consent” for scientific research in Recital 33 of the GDPR and the interplay with the definition of consent and the principle of purpose limitation. According to the DSK, broad consent … Continue Reading
On March 26, 2019, the Polish Supervisory Authority (“SA”) issued a fine of around €220,000 against a company that processed contact data obtained from publicly available sources without informing the individuals concerned (decision in Polish here and English summary here). Article 14 of the GDPR requires data controllers, who do not obtain personal data directly … Continue Reading
On March 12, 2019, the European Data Protection Board (“EDPB”) issued an opinion in response to a series of questions about the competences, tasks and powers of European supervisory authorities for data protection (“SAs”), when the processing of personal data triggers the material scope of both the ePrivacy Directive and the General Data Protection Regulation … Continue Reading
On March 21, 2019, Advocate General Szpunar released his opinion in the Planet49 case, currently pending before the Court of Justice of the European Union (CJEU). The case centers on the use of consent for the processing of personal data and consent for the use of cookies. Planet49 GmbH offered an online lottery service for … Continue Reading
On March 7, 2019, the Dutch Supervisory Authority for data protection issued guidance prohibiting the use of “cookie walls” on websites. Cookie walls require website users to consent to the placing of tracking cookies or similar technologies before allowing them access to the website. According to the regulator, it received many complaints about this practice. … Continue Reading
On January 14, 2019, the Court of Justice of the European Union (“CJEU”) decided that video recordings of police officers in the exercise of their duties and the uploading of such videos on YouTube may constitute “journalistic activities” in the meaning of the journalism exception of the EU Data Protection Directive (“Directive”) (available here). The … Continue Reading
The European Data Protection Board (“Board”) released an opinion on January 23, 2019, on the intersection between the EU General Data Protection Regulation (“GDPR”) and the Clinical Trials Regulation (“CTR”). The opinion considers a Q&A on this topic prepared by the European Commission’s Directorate General for Health. The Directorate General decided to create this Q&A … Continue Reading
On January 21, 2019, the French Supervisory Authority for data protection (“CNIL”) issued a fine of €50 million against Google for violations of the General Data Protection Regulation (“GDPR”) (the decision was published in French here). The CNIL’s decision was triggered by complaints from two non-profit organizations together representing 9974 individuals. The case raises a … Continue Reading
On January 10, 2019, Advocate General Szpunar of the Court of Justice of the European Union (CJEU) released his opinion regarding a 2016 enforcement action carried out by the French Supervisory Authority (CNIL) against Google. In that case, the CNIL ordered Google to de-reference links to webpages containing personal data. According to the CNIL, the … Continue Reading
Under the Data Protection Directive (now superseded by the General Data Protection Regulation, “GDPR”), it was disputed whether a violation of the German Data Protection Law transposing the Directive could serve as a basis for anti-competition claims under the German Act Against Unfair Competition (“Gesetz gegen den unlauteren Wettbewerb”, “UWG”). Since the entry into force … Continue Reading
On November 23, 2018, the European Data Protection Board (“EDPB”) issued draft Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (“Guidelines”). As per standard procedure, the EDPB has published this first version of the Guidelines to allow for public consultation about its contents over the next several months. At the conclusion of … Continue Reading
In early November, the Dutch Supervisory Authority released an injunction imposed against the public insurance body Uitvoeringsinstituut Werkgeversverzekering (“UWV”) last July. The UWV allows employers to submit data about their employees for social security purposes. The data includes dates of employee absences due to general illness (and when an employee is pregnant or gave birth, … Continue Reading
On November 9, 2018, the French Supervisory Authority for Data Protection (known as the “CNIL”) announced that it issued a formal warning (available here) ordering the company Vectaury to change its consent experience for customers and purge all data collected on the basis of invalid consent previously obtained. Vectaury is an advertising network that … Continue Reading
On July 17, 2018, the Portuguese Supervisory Authority (“CNPD”) imposed a fine of 400.000 € on a hospital for infringement of the European Union General Data Protection Regulation (“GDPR”). The decision has not been made public. Earlier this week, the hospital publicly announced that it will contest the fine. According to press reports, the CNPD … Continue Reading
On October 18, 2018, the Dutch Supervisory Authority for data protection adopted guidance on the second Payment Service Directive (“PSD2”). The PSD2 intends to open the financial services market to a larger scale of innovative online services. To that effect, the PSD2 sets out rules for obtaining access to the financial information of bank customers. … Continue Reading
On September 5, 2018, a first instance Administrative Court in Italy decided that a public company cannot reject an application for the position of data protection officer (“DPO”) on the basis that the applicant is not a certified ISO 27001 Auditor / Lead Auditor (decision available here). ISO 27001 is an international information security standard. … Continue Reading
On October 23, 2018, the European Federation of Pharmaceutical Industries in cooperation with the Future of Privacy Forum and the Center for Information Policy Leadership will organize a workshop entitled, “Can GDPR Work for Health Research.” In the first session, the workshop will discuss the implications of the General Data Protection Regulation (“GDPR”) on clinical … Continue Reading
Blockchain technology has the potential to revolutionise many industries; it has been said that “blockchain will do to the financial system what the internet did to media”. Its most famous use is its role as the architecture of the cryptocurrency Bitcoin, however it has many other potential uses in the financial sector, for instance in … Continue Reading
