A perennial topic among the data protection issues is the deletion of personal data. We regularly receive inquiries on this topic. In the following, we would like to answer some of the most frequently asked questions. When do I have to delete personal data? There are no rigid retention periods in the GDPR, but the […]
English Posts
News on data protection law
Dear Readers, This is to update you on the latest news and developments in matters of data protection law. If you would like to be provided with more details, you may contact us via the commentary function. We will also link to our blog posts if we have already reported on this topic. What has […]
Who is the controller for data processing and who is the processor?
An attempt at delimitation by the European Data Protection Board On 2 September 2020, the European Data Protection Board (EDPB) adopted a first version of a guideline on the concepts of data controller and processor in the GDPR, which we would like to briefly present here. The guidelines are currently only available in English. The […]
France and Apps/Websites: What do the latest CNIL recommendations say?
The Comission Nationale de l’informatique et des libertés, the French Data Protection Authority (‘CNIL’) published FAQs and a new guideline regarding cookies on October 1st, 2020. This guideline that was previously publicly consulted between January 14th to February 25th, 2020 has been developed in consultation with digital advertising stakeholders and civil societies. Stakeholders are requested […]
New California Privacy Rights Act (CPRA) Secured Enough Signatures for Ballot
You may have heard of the California Consumer Protection Act (CCPA) which entered into effect at the beginning of this year. You can find more information here. In the state ballot in November 2020, Californians will be asked to decide the fate of another new privacy law, the California Privacy Rights Act (CPRA). The proposition […]
The CJEU rules in favour of Schrems and invalidates Privacy Shield Decision
In a landmark ruling (‘Data Protection Commissioner v Facebook Ireland and Maximilian Schrems’)[1], the CJEU invalidated the Privacy Shield Decision[2], whereby the Commission had determined that the United States ensured an adequate level of protection for personal data transferred from the Union to organisations in the US. Many organisations involved in transborder data transactions will […]
¿Es un deber notificar la designación del Delegado de Protección de Datos ante las Autoridades de Control?
El Reglamento General de Protección de Datos (RGPD) en su artículo 37.2, menciona la posibilidad de nombrar un Delegado de Protección de Datos (DPD) para un grupo empresarial, siempre y cuando este sea accesible desde cada establecimiento. Bajo esta premisa, entendemos que nombrando un DPD para el grupo se encuentra surtida la obligación. Sin embargo, […]
Is it a duty to notify the Supervisory Authorities of the appointment of the Data Protection Officer under the GDPR?
The General Data Protection Regulation (GDPR) in article 37.2 mentions the possibility of appointing a Data Protection Officer (DPO) for a business group, provided that the DPO is accessible from each establishment. This article has led to the conclusion that by appointing a DPO for the group the obligation is met. However, it is relevant […]
Right to deletion? Dutch Court: Not if overriding interests exist!
Dutch Arnhem-Leeuwarden Court of Appeal (hereinafter “Court”) seems to give insides on what accounts to an overriding interest according to Art. 21 para. 1 GDPR, when considering the right to deletion according to Art. 17 para. 1 lit. c GDPR (see here). Facts The data subject who works as an accountant had provided false information […]
Belgian DPA issues €50.000 fine on an Organisation for non-compliance with GDPR DPO appointment procedure
The Organisation (defendant) designated their Head of Compliance, Risk and Audit as their Data Protection Officer (DPO). The DPA ruled that in doing so, the Organisation violated art. 38(6) GDPR which requires that any tasks of the data protection officer do not result in a conflict of interest. According to the defendant, no conflict of […]
Perfect time to „phish“
The uncertainty caused by COVID 19 has led to a marked increase in a in so-called ‘phishing attacks’ by cyber criminals. Phishing is highly used as the first step in cyber-attacks and is amongst the most prominent causes of data breaches and security incidents for both targeted and opportunistic attacks. Therefore, we would like to […]
Belgian DPA requires small companies using CCTV to maintain a record of processing activity
The APD/GBA (Belgian DPA) in April 2020 decided upon a complaint made in September 2018 with the authority.[1] The affected person claimed that he was filmed by CCTV of a store while walking outside on the sidewalk. The DPA investigated the complaint and requested from the store owner what can be expected: Storage period of […]
Dutch DPA imposes fine on company using fingerprint technology for attendance and time registration
The Autoriteit Persoonsgegevens, Dutch data protection authority, imposed a fine on a company, which relied on scanning their employees’ fingerprints for attendance and time registration.[1] Facts in a nutshell In the case at hand, the respective company introduced the new fingerprint system in order to reduce the fraudulent abuse of the previous attendance and time […]
COVID-19 – New Guidelines on the processing of health data for scientific research
On 21st April 2020, the European Data Protection Board (EDPB) released new guidelines. As a preliminary remark, the EDPB sees that “there are currently great scientific research efforts in the fight against SARS-CoV-2”, which should lead to research results as soon as possible. At the same time, there are legal questions regarding the processing of […]
Dutch Data Protection Authority publishes Decision Aid for Video calling Apps
As a result of the ongoing corona crisis, a lot of companies, as well as private individuals, have increasingly been making use of video calling applications. The Dutch Data Protection Authority (AP) received many questions on how privacy-compliant these apps are and have analysed the 13 most commonly used apps, in particular, their privacy aspects. […]