In a recent decision, the Icelandic Data Protection Authority (DPA), Persónuvernd, upheld the legitimate interest of companies sending customer satisfaction surveys and cross-referencing caller information. The case involved the insurance company VÍS and one of its customers and addressed whether a data controller could lawfully cross-check a (anonymous) caller’s phone number with its customer database […]
data protection
Understanding China’s Network Data Security Management Regulation: Key Comparisons with GDPR and PIPL
After years of development, People’s Republic of China (“China”) has established a data security legal framework centered on the “Cybersecurity Law”, “Data Security Law”, and “Personal Information Protection Law” (PIPL). The issuance of the “Network Data Security Management Regulation” (“the Regulation”) by the State Council coordinates the implementation of the data security management requirements stipulated […]
Biometric Data and GDPR Compliance – a Case Analysis
The growing use of biometric systems in workplaces has brought new challenges for data protection, especially with the General Data Protection Regulation (GDPR) in Europe. A recent case in Belgium highlights these issues after a company introduced a fingerprint-based time-tracking system without properly adhering to GDPR rules. Facts In 2020, a Belgian company began using […]
The landscape of online proctoring and the intersection of GDPR and US laws
With the rise of remote learning, online proctoring – used to ensure academic integrity during virtual exams – has become widely adopted by schools and universities across the U.S. These tools use methods like identity verification, video and audio monitoring, eye-tracking, and even AI-based behavioral analysis. As this technology proliferates, concerns about how such software […]
Navigating Employee Email Privacy: Lessons from a recent Fine by Italy’s DPA
The Italian Data Protection Authority (Garante) recently imposed a significant fine of 80,000 euros on a company, for mishandling a sales agent’s email data, highlighting once again the challenges and complexities of managing employee data, in particular when access to employees’ emails is required. The issue arose when the company used a backup of the […]
LinkedIn hit with Fine of 310 Million Euros
LinkedIn Ireland has been fined 310 million euros by the Irish Data Protection Commission (DPC) for breaching several key provisions of the GDPR. The DPC issued this fine following a two-year investigation, which began in 2021. In particular, the investigation focused on LinkedIn’s processing of personal data for the purposes of behavioural analytics and targeted […]
Online Proctoring and Data Protection in Germany and France
Online proctoring refers to the use of digital tools and technologies to remotely monitor students during online exams. This technology typically involves video and audio recording capabilities such as screen and web traffic recording, room recording, periodic desk scans and sometimes methods such as biometric recognition to reduce the potential for academic dishonesty and maintain […]
UK Data Protection Commissioner (ICO) launched a Data Protection Audit Framework
The ICO has recently issued an instrument to support organisations in verifying data protection compliance. The online audit toolkits can be used to conduct both consensual and compulsory audits. The toolkits are designed for organization personnel having familiarity with data protection compliance or data protection professionals (for example: senior management, the data protection officer, internal […]
Unsolicited Email Marketing – Ensuring compliance worldwide
In today’s interconnected world, businesses increasingly depend on email marketing to effectively expand and engage their international customer base. However, when sending unsolicited emails internationally, balancing data protection obligations and the requirements of local laws is crucial for maintaining compliance. This article delves into best practices, outlines the most appropriate legal bases, and examines the […]
EDPB publishes opinion on the “Code of Conduct for Service Providers in Clinical Research” submitted by EUCROF
According to Art. 40 GDPR, associations and other bodies representing categories of controllers or processors are encouraged to prepare codes of conduct, or amend or extend such codes, for the purpose of contributing to the proper application of the GDPR in specific sectors. When such codes of conduct – or amendments to existing ones – […]
CJEU Broadens Definition of Health Data in Pivotal GDPR Ruling
The Court of Justice of the European Union (CJEU) has recently issued a landmark decision (C-21/23 “Lindenapotheke”) that expands the interpretation of what constitutes health data under the General Data Protection Regulation (GDPR). This ruling has significant implications for businesses, especially those involved in the sale of medicinal products online. A Wider Scope of Health […]
A Trip to Canada’s Data Protection Landscape
As we are entering into autumn, most people are traveling the world again. Some prefer a few quiet weeks at the beach, while others are seeking adventures climbing mountains and jumping off cliffs. Nerds like me however, like to discover the curiously wild landscape of Canada’s data protection laws. It keeps us lawyers constantly on […]
How to verify the implementation of Binding Corporate Rules? The CNIL published a monitoring tool
A number of multinational companies operating across multiple jurisdictions and sharing personal data between different countries, have adopted Binding Corporate Rules (BCRs) as a transfer mechanism under Art. 47 of the General Data Protection Regulation (GDPR). BCRs are internal data protection compliance rules to ensure that personal data transferred between their entities, particularly from the […]
Case Analysis: A Landmark Cross-Border Data Transfer Dispute in China
In a significant ruling that underscores the growing emphasis on personal data protection in China, the Guangzhou Internet Court recently concluded a case involving cross-border data transfer violations under the Personal Information Protection Law of the People’s Republic of China (PIPL). The case, titled (2022) Yue 0192 Min Chu 6486, saw Mr. Z, a Chinese […]
US Senate passes Kids Online Safety Act
My kids are growing and so are the worries that I have regarding their use of technology and the internet. In my article, Technology and Children – U.S. Courts Place Injunctions on State Laws for Unconstitutionality, in October 2023, I discussed recent U.S. court injunctions against state laws aimed at protecting children online, citing constitutional […]