On June 8, 2020, the Belgian Supervisory Authority (“SA”) fined a (then ex-) politician €5,000 for sending political marketing materials without an appropriate legal basis. Although the fine was not massive, the case is interesting for another reason: the complaint was brought not by the individuals who received the marketing materials, but by their employer. … Continue Reading
On May 25, 2020, the second anniversary of the GDPR, the Belgian Supervisory Authority (“SA”) released an overview of its first full year of activity (available in French here, and in Dutch here). To be clear, this was not a delay in reporting, but rather shows that the Belgian legislature was late in creating its … Continue Reading
On June 2, 2020, the French Supervisory Authority (“CNIL”) published a paper on algorithmic discrimination prepared by the French independent administrative authority known as “Défenseur des droits”. The paper is divided into two parts: the first part discusses how algorithms can lead to discriminatory outcomes, and the second part includes recommendations on how to identify … Continue Reading
On April 21, 2020, the Regulation on the Requirements and Reimbursement Process for Digital Health Applications (Digitale Gesundheitsanwendungen-Verordnung or „DiGAV“, available here) entered into force in Germany. Among other provisions, the DiGAV includes specific IT security and privacy requirements. Shortly after the law took effect, Germany’s Federal Medicines and Medical Devices Agency (“BfArM”) also released … Continue Reading
On April 28, 2020, the Dutch Supervisory Authority (“Dutch SA”) announced its decision to impose a fine of €725,000 on a company for unlawfully processing the biometric data of its employees. In 2018, the company concerned installed an access and time management system that collected and processed biometric templates of employees’ fingerprints. This initiative came … Continue Reading
On April 21, 2020, the European Data Protection Board (“Board”) issued guidelines on the processing of personal data for scientific research related to COVID-19. The Board indicates that the GDPR takes into account the needs of scientific research and should not be a barrier to conduct such research, while at the same time, it helps … Continue Reading
On April 21, 2020, the French Supervisory Authority (“CNIL”) launched a public consultation on the rights of minors in the digital services. The consultation is open until June 1, 2020. The CNIL will use the contributions it receives to prepare recommendations in this area. Under the French Data Protection Law, minors over 15 years old … Continue Reading
On April 9, 2020, the German Supervisory Authority of Baden-Wuerttemberg published standard contractual clauses for data processors pursuant to Article 28(8) GDPR. It is the first German Supervisory Authority to do so, and the second in EU after the Danish Supervisory Authority published its own standard clauses in July 2019. However, while the Danish clauses … Continue Reading
On March 28, 2020, the “Federal Act for the Protection of the Population against an Epidemic of National Significance” (Bevölkerungsschutzgesetz) went into effect. The law forms part of an emergency legislative package introduced by the German government in response to COVID-19. The law amends the Social Code V (SGB V) by introducing a new provision … Continue Reading
Pan-European Privacy Preserving Proximity Tracing Initiative According to media sources, an EU consortium led by Germany’s Fraunhofer Heinrich Hertz Institute for telecoms (HHI) will soon release software code that can be used to create apps that will help track transmission chains of COVID-19. The Pan-European Privacy Preserving Proximity Tracing (“PEPP-PT”) project comprises more than 130 … Continue Reading
On March 24, 2020, the Dutch Supervisory Authority (“SA”) announced the launch of a broad investigation into automobile manufacturers, to determine whether any violations of data protection laws have occurred in relation to connected cars. The Dutch SA sent a questionnaire to all Netherlands-based car and truck manufacturers, asking what types of personal data they … Continue Reading
In order to combat the proliferation of COVID-1, several EU Member States have strongly recommended or required that employees engage in teleworking, rather than attend work as normal. In this context, the European Union Agency for Cybersecurity (“ENISA”), on March 15, 2020, issued its “top tips for cybersecurity when working remotely”. Some data protection Supervisory … Continue Reading
As scientists work around the clock to gain insights into the Corona virus and how to fight it, public and private-sector stakeholders are in discussions to promote the rapid exchange of scientific data. During these discussions, the GDPR acronym inevitably rears its head and casts doubt over what is lawful. The GDPR and national data … Continue Reading
On March 13, 2020, the Belgian data protection authority (“APD”) issued guidance on data protection and COVID-19. The guidance is mainly aimed at employers processing personal data of employees in the context of the measures they have taken to contain the spreading of COVID-19. The guidance is divided in the following three parts: legal basis … Continue Reading
On March 6, 2020, the Italian Data Protection Authority (“Garante”) reported on new measures designed to protect the health data of patients in the context of Government procurement efforts (calls for tender) to acquire medical equipment and devices. The new measures are the result of a collaboration between the Garante and Consip, a company wholly … Continue Reading
On March 6, 2020, the French Supervisory Authority (“CNIL”) released a statement on processing personal data in light of COVID-19. The CNIL notes that while everyone should take measures to prevent the spread of the virus, such efforts must comply with applicable data protection rules, in particular when collecting and processing sensitive health data. As … Continue Reading
On January 27, 2020, the French Supervisory Authority (“CNIL”) issued a guidance for developers of websites and applications which sets out the main principles of the General Data Protection Regulation (“GDPR”), expounds on their application in the online environment, and gives practical tips to help developers respect users’ privacy when deploying websites and apps. The … Continue Reading
On February 10, 2020, Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) launched its first public consultation procedure. The consultation invites comments on a position paper of the BfDI which addresses the anonymization of personal data under the General Data Protection Regulation (GDPR), with a particular focus on the telecommunications sector (for … Continue Reading
Germany recently enacted a law that enables state health insurance schemes to reimburse costs related to the use of digital health applications (“health apps”), but the law requires the Federal Ministry of Health to first develop the reimbursement process for such apps. Accordingly, on January 15, 2020, the German government published a draft regulation setting … Continue Reading
On January 14, 2020, the French Supervisory Authority (“CNIL”) published a new draft guidance on the use of cookies and similar technologies on websites and applications (see here, in French). The draft guidance is open for public consultation until February 25, 2020. In its nine articles, the guidance sets out how to properly inform users … Continue Reading
In late December 2019, the Court of The Hague (Netherlands) published a preliminary reference procedure (see here, in Dutch). The Court was asked to decide on the scope of the right of access under the GDPR. The defendant in this case was a bailiff involved in the bankruptcy procedure. The individual who was target of … Continue Reading
On December 17, 2019, the Belgian Supervisory Authority (“SA”) imposed a fine of € 15,000 on an SME operating a legal information website that welcomes approximately 35,000 unique visitors a month. Interestingly, in the apparent absence of any actual complaints submitted to the SA, it carried out this enforcement action on its own initiative. In … Continue Reading
On December 19, 2019, Advocate General (“AG”) Henrik Saugmandsgaard Øe handed down his Opinion in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”). The AG’s Opinion provides non-binding guidance to the Court of Justice of the EU (“CJEU”) on how to decide the case. In brief, the AG recommended that … Continue Reading
On December 11, 2019, the European Data Protection Board (“EDPB”) published the final text of the standard clauses adopted by the Danish Supervisory Authority (Datatilsynet, hereafter “Danish SA”) pursuant to Article 28(8) of the General Data Protection Regulation (“GDPR”). The Danish clauses are now accessible on the EDPB’s register of decisions taken by Supervisory Authorities. … Continue Reading
